├── BINARIES ├── FreeBSD11_64 │ └── parse_evtx ├── Linux_32 │ └── parse_evtx ├── Linux_64 │ └── parse_evtx ├── Mingw-w64_32 │ └── parse_evtx.exe ├── Mingw-w64_64 │ └── parse_evtx.exe └── OSX │ └── parse_evtx ├── COPYING.MinGW-w64-runtime.txt ├── COPYING.lgpl-2.1.txt ├── COPYING.parse_evtx.txt ├── README.md └── SOURCES ├── CMakeLists.txt ├── forensics ├── CMakeLists.txt ├── eventlist.h └── main_parse_evtx.cpp ├── tools └── wintime.h └── utils ├── igmacro.h └── win_types.h /BINARIES/FreeBSD11_64/parse_evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KasperskyLab/ForensicsTools/a4b02b90ac136e35023bfb61b7dbcd33fb6de7a8/BINARIES/FreeBSD11_64/parse_evtx -------------------------------------------------------------------------------- /BINARIES/Linux_32/parse_evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KasperskyLab/ForensicsTools/a4b02b90ac136e35023bfb61b7dbcd33fb6de7a8/BINARIES/Linux_32/parse_evtx -------------------------------------------------------------------------------- /BINARIES/Linux_64/parse_evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KasperskyLab/ForensicsTools/a4b02b90ac136e35023bfb61b7dbcd33fb6de7a8/BINARIES/Linux_64/parse_evtx -------------------------------------------------------------------------------- /BINARIES/Mingw-w64_32/parse_evtx.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KasperskyLab/ForensicsTools/a4b02b90ac136e35023bfb61b7dbcd33fb6de7a8/BINARIES/Mingw-w64_32/parse_evtx.exe -------------------------------------------------------------------------------- /BINARIES/Mingw-w64_64/parse_evtx.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KasperskyLab/ForensicsTools/a4b02b90ac136e35023bfb61b7dbcd33fb6de7a8/BINARIES/Mingw-w64_64/parse_evtx.exe -------------------------------------------------------------------------------- /BINARIES/OSX/parse_evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/KasperskyLab/ForensicsTools/a4b02b90ac136e35023bfb61b7dbcd33fb6de7a8/BINARIES/OSX/parse_evtx -------------------------------------------------------------------------------- /COPYING.MinGW-w64-runtime.txt: -------------------------------------------------------------------------------- 1 | MinGW-w64 runtime licensing 2 | *************************** 3 | 4 | This program or library was built using MinGW-w64 and statically 5 | linked against the MinGW-w64 runtime. Some parts of the runtime 6 | are under licenses which require that the copyright and license 7 | notices are included when distributing the code in binary form. 8 | These notices are listed below. 9 | 10 | 11 | ======================== 12 | Overall copyright notice 13 | ======================== 14 | 15 | Copyright (c) 2009, 2010, 2011, 2012, 2013 by the mingw-w64 project 16 | 17 | This license has been certified as open source. It has also been designated 18 | as GPL compatible by the Free Software Foundation (FSF). 19 | 20 | Redistribution and use in source and binary forms, with or without 21 | modification, are permitted provided that the following conditions are met: 22 | 23 | 1. Redistributions in source code must retain the accompanying copyright 24 | notice, this list of conditions, and the following disclaimer. 25 | 2. Redistributions in binary form must reproduce the accompanying 26 | copyright notice, this list of conditions, and the following disclaimer 27 | in the documentation and/or other materials provided with the 28 | distribution. 29 | 3. Names of the copyright holders must not be used to endorse or promote 30 | products derived from this software without prior written permission 31 | from the copyright holders. 32 | 4. The right to distribute this software or to use it for any purpose does 33 | not give you the right to use Servicemarks (sm) or Trademarks (tm) of 34 | the copyright holders. Use of them is covered by separate agreement 35 | with the copyright holders. 36 | 5. If any files are modified, you must cause the modified files to carry 37 | prominent notices stating that you changed the files and the date of 38 | any change. 39 | 40 | Disclaimer 41 | 42 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ``AS IS'' AND ANY EXPRESSED 43 | OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 44 | OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 45 | EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY DIRECT, INDIRECT, 46 | INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 47 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, 48 | OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 49 | LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 50 | NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, 51 | EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 52 | 53 | ======================================== 54 | getopt, getopt_long, and getop_long_only 55 | ======================================== 56 | 57 | Copyright (c) 2002 Todd C. Miller 58 | 59 | Permission to use, copy, modify, and distribute this software for any 60 | purpose with or without fee is hereby granted, provided that the above 61 | copyright notice and this permission notice appear in all copies. 62 | 63 | THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 64 | WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 65 | MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 66 | ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 67 | WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 68 | ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 69 | OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 70 | 71 | Sponsored in part by the Defense Advanced Research Projects 72 | Agency (DARPA) and Air Force Research Laboratory, Air Force 73 | Materiel Command, USAF, under agreement number F39502-99-1-0512. 74 | 75 | * * * * * * * 76 | 77 | Copyright (c) 2000 The NetBSD Foundation, Inc. 78 | All rights reserved. 79 | 80 | This code is derived from software contributed to The NetBSD Foundation 81 | by Dieter Baron and Thomas Klausner. 82 | 83 | Redistribution and use in source and binary forms, with or without 84 | modification, are permitted provided that the following conditions 85 | are met: 86 | 1. Redistributions of source code must retain the above copyright 87 | notice, this list of conditions and the following disclaimer. 88 | 2. Redistributions in binary form must reproduce the above copyright 89 | notice, this list of conditions and the following disclaimer in the 90 | documentation and/or other materials provided with the distribution. 91 | 92 | THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 93 | ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 94 | TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 | PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 96 | BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 97 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 98 | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 99 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 100 | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 | ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 102 | POSSIBILITY OF SUCH DAMAGE. 103 | 104 | 105 | =============================================================== 106 | gdtoa: Converting between IEEE floating point numbers and ASCII 107 | =============================================================== 108 | 109 | The author of this software is David M. Gay. 110 | 111 | Copyright (C) 1997, 1998, 1999, 2000, 2001 by Lucent Technologies 112 | All Rights Reserved 113 | 114 | Permission to use, copy, modify, and distribute this software and 115 | its documentation for any purpose and without fee is hereby 116 | granted, provided that the above copyright notice appear in all 117 | copies and that both that the copyright notice and this 118 | permission notice and warranty disclaimer appear in supporting 119 | documentation, and that the name of Lucent or any of its entities 120 | not be used in advertising or publicity pertaining to 121 | distribution of the software without specific, written prior 122 | permission. 123 | 124 | LUCENT DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 125 | INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. 126 | IN NO EVENT SHALL LUCENT OR ANY OF ITS ENTITIES BE LIABLE FOR ANY 127 | SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 128 | WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER 129 | IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, 130 | ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF 131 | THIS SOFTWARE. 132 | 133 | * * * * * * * 134 | 135 | The author of this software is David M. Gay. 136 | 137 | Copyright (C) 2005 by David M. Gay 138 | All Rights Reserved 139 | 140 | Permission to use, copy, modify, and distribute this software and its 141 | documentation for any purpose and without fee is hereby granted, 142 | provided that the above copyright notice appear in all copies and that 143 | both that the copyright notice and this permission notice and warranty 144 | disclaimer appear in supporting documentation, and that the name of 145 | the author or any of his current or former employers not be used in 146 | advertising or publicity pertaining to distribution of the software 147 | without specific, written prior permission. 148 | 149 | THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 150 | INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN 151 | NO EVENT SHALL THE AUTHOR OR ANY OF HIS CURRENT OR FORMER EMPLOYERS BE 152 | LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY 153 | DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, 154 | WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, 155 | ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS 156 | SOFTWARE. 157 | 158 | * * * * * * * 159 | 160 | The author of this software is David M. Gay. 161 | 162 | Copyright (C) 2004 by David M. Gay. 163 | All Rights Reserved 164 | Based on material in the rest of /netlib/fp/gdota.tar.gz, 165 | which is copyright (C) 1998, 2000 by Lucent Technologies. 166 | 167 | Permission to use, copy, modify, and distribute this software and 168 | its documentation for any purpose and without fee is hereby 169 | granted, provided that the above copyright notice appear in all 170 | copies and that both that the copyright notice and this 171 | permission notice and warranty disclaimer appear in supporting 172 | documentation, and that the name of Lucent or any of its entities 173 | not be used in advertising or publicity pertaining to 174 | distribution of the software without specific, written prior 175 | permission. 176 | 177 | LUCENT DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 178 | INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. 179 | IN NO EVENT SHALL LUCENT OR ANY OF ITS ENTITIES BE LIABLE FOR ANY 180 | SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 181 | WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER 182 | IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, 183 | ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF 184 | THIS SOFTWARE. 185 | 186 | 187 | ========================= 188 | Parts of the math library 189 | ========================= 190 | 191 | Copyright (C) 1993 by Sun Microsystems, Inc. All rights reserved. 192 | 193 | Developed at SunSoft, a Sun Microsystems, Inc. business. 194 | Permission to use, copy, modify, and distribute this 195 | software is freely granted, provided that this notice 196 | is preserved. 197 | 198 | * * * * * * * 199 | 200 | Copyright (C) 1993 by Sun Microsystems, Inc. All rights reserved. 201 | 202 | Developed at SunPro, a Sun Microsystems, Inc. business. 203 | Permission to use, copy, modify, and distribute this 204 | software is freely granted, provided that this notice 205 | is preserved. 206 | 207 | * * * * * * * 208 | 209 | FIXME: Cephes math lib 210 | Copyright (C) 1984-1998 Stephen L. Moshier 211 | 212 | It sounds vague, but as to be found at 213 | , it gives an 214 | impression that the author could be willing to give an explicit 215 | permission to distribute those files e.g. under a BSD style license. So 216 | probably there is no problem here, although it could be good to get a 217 | permission from the author and then add a license into the Cephes files 218 | in MinGW runtime. At least on follow-up it is marked that debian sees the 219 | version a-like BSD one. As MinGW.org (where those cephes parts are coming 220 | from) distributes them now over 6 years, it should be fine. 221 | 222 | =================================== 223 | Headers and IDLs imported from Wine 224 | =================================== 225 | 226 | Some header and IDL files were imported from the Wine project. These files 227 | are prominent maked in source. Their copyright belongs to contributors and 228 | they are distributed under LGPL license. 229 | 230 | Disclaimer 231 | 232 | This library is free software; you can redistribute it and/or 233 | modify it under the terms of the GNU Lesser General Public 234 | License as published by the Free Software Foundation; either 235 | version 2.1 of the License, or (at your option) any later version. 236 | 237 | This library is distributed in the hope that it will be useful, 238 | but WITHOUT ANY WARRANTY; without even the implied warranty of 239 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 240 | Lesser General Public License for more details. 241 | -------------------------------------------------------------------------------- /COPYING.lgpl-2.1.txt: -------------------------------------------------------------------------------- 1 | GNU LESSER GENERAL PUBLIC LICENSE 2 | Version 2.1, February 1999 3 | 4 | Copyright (C) 1991, 1999 Free Software Foundation, Inc. 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | [This is the first released version of the Lesser GPL. It also counts 10 | as the successor of the GNU Library Public License, version 2, hence 11 | the version number 2.1.] 12 | 13 | Preamble 14 | 15 | The licenses for most software are designed to take away your 16 | freedom to share and change it. By contrast, the GNU General Public 17 | Licenses are intended to guarantee your freedom to share and change 18 | free software--to make sure the software is free for all its users. 19 | 20 | This license, the Lesser General Public License, applies to some 21 | specially designated software packages--typically libraries--of the 22 | Free Software Foundation and other authors who decide to use it. You 23 | can use it too, but we suggest you first think carefully about whether 24 | this license or the ordinary General Public License is the better 25 | strategy to use in any particular case, based on the explanations below. 26 | 27 | When we speak of free software, we are referring to freedom of use, 28 | not price. Our General Public Licenses are designed to make sure that 29 | you have the freedom to distribute copies of free software (and charge 30 | for this service if you wish); that you receive source code or can get 31 | it if you want it; that you can change the software and use pieces of 32 | it in new free programs; and that you are informed that you can do 33 | these things. 34 | 35 | To protect your rights, we need to make restrictions that forbid 36 | distributors to deny you these rights or to ask you to surrender these 37 | rights. These restrictions translate to certain responsibilities for 38 | you if you distribute copies of the library or if you modify it. 39 | 40 | For example, if you distribute copies of the library, whether gratis 41 | or for a fee, you must give the recipients all the rights that we gave 42 | you. You must make sure that they, too, receive or can get the source 43 | code. If you link other code with the library, you must provide 44 | complete object files to the recipients, so that they can relink them 45 | with the library after making changes to the library and recompiling 46 | it. And you must show them these terms so they know their rights. 47 | 48 | We protect your rights with a two-step method: (1) we copyright the 49 | library, and (2) we offer you this license, which gives you legal 50 | permission to copy, distribute and/or modify the library. 51 | 52 | To protect each distributor, we want to make it very clear that 53 | there is no warranty for the free library. Also, if the library is 54 | modified by someone else and passed on, the recipients should know 55 | that what they have is not the original version, so that the original 56 | author's reputation will not be affected by problems that might be 57 | introduced by others. 58 | 59 | Finally, software patents pose a constant threat to the existence of 60 | any free program. We wish to make sure that a company cannot 61 | effectively restrict the users of a free program by obtaining a 62 | restrictive license from a patent holder. Therefore, we insist that 63 | any patent license obtained for a version of the library must be 64 | consistent with the full freedom of use specified in this license. 65 | 66 | Most GNU software, including some libraries, is covered by the 67 | ordinary GNU General Public License. This license, the GNU Lesser 68 | General Public License, applies to certain designated libraries, and 69 | is quite different from the ordinary General Public License. We use 70 | this license for certain libraries in order to permit linking those 71 | libraries into non-free programs. 72 | 73 | When a program is linked with a library, whether statically or using 74 | a shared library, the combination of the two is legally speaking a 75 | combined work, a derivative of the original library. The ordinary 76 | General Public License therefore permits such linking only if the 77 | entire combination fits its criteria of freedom. The Lesser General 78 | Public License permits more lax criteria for linking other code with 79 | the library. 80 | 81 | We call this license the "Lesser" General Public License because it 82 | does Less to protect the user's freedom than the ordinary General 83 | Public License. It also provides other free software developers Less 84 | of an advantage over competing non-free programs. These disadvantages 85 | are the reason we use the ordinary General Public License for many 86 | libraries. However, the Lesser license provides advantages in certain 87 | special circumstances. 88 | 89 | For example, on rare occasions, there may be a special need to 90 | encourage the widest possible use of a certain library, so that it becomes 91 | a de-facto standard. To achieve this, non-free programs must be 92 | allowed to use the library. A more frequent case is that a free 93 | library does the same job as widely used non-free libraries. In this 94 | case, there is little to gain by limiting the free library to free 95 | software only, so we use the Lesser General Public License. 96 | 97 | In other cases, permission to use a particular library in non-free 98 | programs enables a greater number of people to use a large body of 99 | free software. For example, permission to use the GNU C Library in 100 | non-free programs enables many more people to use the whole GNU 101 | operating system, as well as its variant, the GNU/Linux operating 102 | system. 103 | 104 | Although the Lesser General Public License is Less protective of the 105 | users' freedom, it does ensure that the user of a program that is 106 | linked with the Library has the freedom and the wherewithal to run 107 | that program using a modified version of the Library. 108 | 109 | The precise terms and conditions for copying, distribution and 110 | modification follow. Pay close attention to the difference between a 111 | "work based on the library" and a "work that uses the library". The 112 | former contains code derived from the library, whereas the latter must 113 | be combined with the library in order to run. 114 | 115 | GNU LESSER GENERAL PUBLIC LICENSE 116 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 117 | 118 | 0. This License Agreement applies to any software library or other 119 | program which contains a notice placed by the copyright holder or 120 | other authorized party saying it may be distributed under the terms of 121 | this Lesser General Public License (also called "this License"). 122 | Each licensee is addressed as "you". 123 | 124 | A "library" means a collection of software functions and/or data 125 | prepared so as to be conveniently linked with application programs 126 | (which use some of those functions and data) to form executables. 127 | 128 | The "Library", below, refers to any such software library or work 129 | which has been distributed under these terms. A "work based on the 130 | Library" means either the Library or any derivative work under 131 | copyright law: that is to say, a work containing the Library or a 132 | portion of it, either verbatim or with modifications and/or translated 133 | straightforwardly into another language. (Hereinafter, translation is 134 | included without limitation in the term "modification".) 135 | 136 | "Source code" for a work means the preferred form of the work for 137 | making modifications to it. For a library, complete source code means 138 | all the source code for all modules it contains, plus any associated 139 | interface definition files, plus the scripts used to control compilation 140 | and installation of the library. 141 | 142 | Activities other than copying, distribution and modification are not 143 | covered by this License; they are outside its scope. The act of 144 | running a program using the Library is not restricted, and output from 145 | such a program is covered only if its contents constitute a work based 146 | on the Library (independent of the use of the Library in a tool for 147 | writing it). Whether that is true depends on what the Library does 148 | and what the program that uses the Library does. 149 | 150 | 1. You may copy and distribute verbatim copies of the Library's 151 | complete source code as you receive it, in any medium, provided that 152 | you conspicuously and appropriately publish on each copy an 153 | appropriate copyright notice and disclaimer of warranty; keep intact 154 | all the notices that refer to this License and to the absence of any 155 | warranty; and distribute a copy of this License along with the 156 | Library. 157 | 158 | You may charge a fee for the physical act of transferring a copy, 159 | and you may at your option offer warranty protection in exchange for a 160 | fee. 161 | 162 | 2. You may modify your copy or copies of the Library or any portion 163 | of it, thus forming a work based on the Library, and copy and 164 | distribute such modifications or work under the terms of Section 1 165 | above, provided that you also meet all of these conditions: 166 | 167 | a) The modified work must itself be a software library. 168 | 169 | b) You must cause the files modified to carry prominent notices 170 | stating that you changed the files and the date of any change. 171 | 172 | c) You must cause the whole of the work to be licensed at no 173 | charge to all third parties under the terms of this License. 174 | 175 | d) If a facility in the modified Library refers to a function or a 176 | table of data to be supplied by an application program that uses 177 | the facility, other than as an argument passed when the facility 178 | is invoked, then you must make a good faith effort to ensure that, 179 | in the event an application does not supply such function or 180 | table, the facility still operates, and performs whatever part of 181 | its purpose remains meaningful. 182 | 183 | (For example, a function in a library to compute square roots has 184 | a purpose that is entirely well-defined independent of the 185 | application. Therefore, Subsection 2d requires that any 186 | application-supplied function or table used by this function must 187 | be optional: if the application does not supply it, the square 188 | root function must still compute square roots.) 189 | 190 | These requirements apply to the modified work as a whole. If 191 | identifiable sections of that work are not derived from the Library, 192 | and can be reasonably considered independent and separate works in 193 | themselves, then this License, and its terms, do not apply to those 194 | sections when you distribute them as separate works. But when you 195 | distribute the same sections as part of a whole which is a work based 196 | on the Library, the distribution of the whole must be on the terms of 197 | this License, whose permissions for other licensees extend to the 198 | entire whole, and thus to each and every part regardless of who wrote 199 | it. 200 | 201 | Thus, it is not the intent of this section to claim rights or contest 202 | your rights to work written entirely by you; rather, the intent is to 203 | exercise the right to control the distribution of derivative or 204 | collective works based on the Library. 205 | 206 | In addition, mere aggregation of another work not based on the Library 207 | with the Library (or with a work based on the Library) on a volume of 208 | a storage or distribution medium does not bring the other work under 209 | the scope of this License. 210 | 211 | 3. You may opt to apply the terms of the ordinary GNU General Public 212 | License instead of this License to a given copy of the Library. To do 213 | this, you must alter all the notices that refer to this License, so 214 | that they refer to the ordinary GNU General Public License, version 2, 215 | instead of to this License. (If a newer version than version 2 of the 216 | ordinary GNU General Public License has appeared, then you can specify 217 | that version instead if you wish.) Do not make any other change in 218 | these notices. 219 | 220 | Once this change is made in a given copy, it is irreversible for 221 | that copy, so the ordinary GNU General Public License applies to all 222 | subsequent copies and derivative works made from that copy. 223 | 224 | This option is useful when you wish to copy part of the code of 225 | the Library into a program that is not a library. 226 | 227 | 4. You may copy and distribute the Library (or a portion or 228 | derivative of it, under Section 2) in object code or executable form 229 | under the terms of Sections 1 and 2 above provided that you accompany 230 | it with the complete corresponding machine-readable source code, which 231 | must be distributed under the terms of Sections 1 and 2 above on a 232 | medium customarily used for software interchange. 233 | 234 | If distribution of object code is made by offering access to copy 235 | from a designated place, then offering equivalent access to copy the 236 | source code from the same place satisfies the requirement to 237 | distribute the source code, even though third parties are not 238 | compelled to copy the source along with the object code. 239 | 240 | 5. A program that contains no derivative of any portion of the 241 | Library, but is designed to work with the Library by being compiled or 242 | linked with it, is called a "work that uses the Library". Such a 243 | work, in isolation, is not a derivative work of the Library, and 244 | therefore falls outside the scope of this License. 245 | 246 | However, linking a "work that uses the Library" with the Library 247 | creates an executable that is a derivative of the Library (because it 248 | contains portions of the Library), rather than a "work that uses the 249 | library". The executable is therefore covered by this License. 250 | Section 6 states terms for distribution of such executables. 251 | 252 | When a "work that uses the Library" uses material from a header file 253 | that is part of the Library, the object code for the work may be a 254 | derivative work of the Library even though the source code is not. 255 | Whether this is true is especially significant if the work can be 256 | linked without the Library, or if the work is itself a library. The 257 | threshold for this to be true is not precisely defined by law. 258 | 259 | If such an object file uses only numerical parameters, data 260 | structure layouts and accessors, and small macros and small inline 261 | functions (ten lines or less in length), then the use of the object 262 | file is unrestricted, regardless of whether it is legally a derivative 263 | work. (Executables containing this object code plus portions of the 264 | Library will still fall under Section 6.) 265 | 266 | Otherwise, if the work is a derivative of the Library, you may 267 | distribute the object code for the work under the terms of Section 6. 268 | Any executables containing that work also fall under Section 6, 269 | whether or not they are linked directly with the Library itself. 270 | 271 | 6. As an exception to the Sections above, you may also combine or 272 | link a "work that uses the Library" with the Library to produce a 273 | work containing portions of the Library, and distribute that work 274 | under terms of your choice, provided that the terms permit 275 | modification of the work for the customer's own use and reverse 276 | engineering for debugging such modifications. 277 | 278 | You must give prominent notice with each copy of the work that the 279 | Library is used in it and that the Library and its use are covered by 280 | this License. You must supply a copy of this License. If the work 281 | during execution displays copyright notices, you must include the 282 | copyright notice for the Library among them, as well as a reference 283 | directing the user to the copy of this License. Also, you must do one 284 | of these things: 285 | 286 | a) Accompany the work with the complete corresponding 287 | machine-readable source code for the Library including whatever 288 | changes were used in the work (which must be distributed under 289 | Sections 1 and 2 above); and, if the work is an executable linked 290 | with the Library, with the complete machine-readable "work that 291 | uses the Library", as object code and/or source code, so that the 292 | user can modify the Library and then relink to produce a modified 293 | executable containing the modified Library. (It is understood 294 | that the user who changes the contents of definitions files in the 295 | Library will not necessarily be able to recompile the application 296 | to use the modified definitions.) 297 | 298 | b) Use a suitable shared library mechanism for linking with the 299 | Library. A suitable mechanism is one that (1) uses at run time a 300 | copy of the library already present on the user's computer system, 301 | rather than copying library functions into the executable, and (2) 302 | will operate properly with a modified version of the library, if 303 | the user installs one, as long as the modified version is 304 | interface-compatible with the version that the work was made with. 305 | 306 | c) Accompany the work with a written offer, valid for at 307 | least three years, to give the same user the materials 308 | specified in Subsection 6a, above, for a charge no more 309 | than the cost of performing this distribution. 310 | 311 | d) If distribution of the work is made by offering access to copy 312 | from a designated place, offer equivalent access to copy the above 313 | specified materials from the same place. 314 | 315 | e) Verify that the user has already received a copy of these 316 | materials or that you have already sent this user a copy. 317 | 318 | For an executable, the required form of the "work that uses the 319 | Library" must include any data and utility programs needed for 320 | reproducing the executable from it. However, as a special exception, 321 | the materials to be distributed need not include anything that is 322 | normally distributed (in either source or binary form) with the major 323 | components (compiler, kernel, and so on) of the operating system on 324 | which the executable runs, unless that component itself accompanies 325 | the executable. 326 | 327 | It may happen that this requirement contradicts the license 328 | restrictions of other proprietary libraries that do not normally 329 | accompany the operating system. Such a contradiction means you cannot 330 | use both them and the Library together in an executable that you 331 | distribute. 332 | 333 | 7. You may place library facilities that are a work based on the 334 | Library side-by-side in a single library together with other library 335 | facilities not covered by this License, and distribute such a combined 336 | library, provided that the separate distribution of the work based on 337 | the Library and of the other library facilities is otherwise 338 | permitted, and provided that you do these two things: 339 | 340 | a) Accompany the combined library with a copy of the same work 341 | based on the Library, uncombined with any other library 342 | facilities. This must be distributed under the terms of the 343 | Sections above. 344 | 345 | b) Give prominent notice with the combined library of the fact 346 | that part of it is a work based on the Library, and explaining 347 | where to find the accompanying uncombined form of the same work. 348 | 349 | 8. You may not copy, modify, sublicense, link with, or distribute 350 | the Library except as expressly provided under this License. Any 351 | attempt otherwise to copy, modify, sublicense, link with, or 352 | distribute the Library is void, and will automatically terminate your 353 | rights under this License. However, parties who have received copies, 354 | or rights, from you under this License will not have their licenses 355 | terminated so long as such parties remain in full compliance. 356 | 357 | 9. You are not required to accept this License, since you have not 358 | signed it. However, nothing else grants you permission to modify or 359 | distribute the Library or its derivative works. These actions are 360 | prohibited by law if you do not accept this License. Therefore, by 361 | modifying or distributing the Library (or any work based on the 362 | Library), you indicate your acceptance of this License to do so, and 363 | all its terms and conditions for copying, distributing or modifying 364 | the Library or works based on it. 365 | 366 | 10. Each time you redistribute the Library (or any work based on the 367 | Library), the recipient automatically receives a license from the 368 | original licensor to copy, distribute, link with or modify the Library 369 | subject to these terms and conditions. You may not impose any further 370 | restrictions on the recipients' exercise of the rights granted herein. 371 | You are not responsible for enforcing compliance by third parties with 372 | this License. 373 | 374 | 11. If, as a consequence of a court judgment or allegation of patent 375 | infringement or for any other reason (not limited to patent issues), 376 | conditions are imposed on you (whether by court order, agreement or 377 | otherwise) that contradict the conditions of this License, they do not 378 | excuse you from the conditions of this License. If you cannot 379 | distribute so as to satisfy simultaneously your obligations under this 380 | License and any other pertinent obligations, then as a consequence you 381 | may not distribute the Library at all. For example, if a patent 382 | license would not permit royalty-free redistribution of the Library by 383 | all those who receive copies directly or indirectly through you, then 384 | the only way you could satisfy both it and this License would be to 385 | refrain entirely from distribution of the Library. 386 | 387 | If any portion of this section is held invalid or unenforceable under any 388 | particular circumstance, the balance of the section is intended to apply, 389 | and the section as a whole is intended to apply in other circumstances. 390 | 391 | It is not the purpose of this section to induce you to infringe any 392 | patents or other property right claims or to contest validity of any 393 | such claims; this section has the sole purpose of protecting the 394 | integrity of the free software distribution system which is 395 | implemented by public license practices. Many people have made 396 | generous contributions to the wide range of software distributed 397 | through that system in reliance on consistent application of that 398 | system; it is up to the author/donor to decide if he or she is willing 399 | to distribute software through any other system and a licensee cannot 400 | impose that choice. 401 | 402 | This section is intended to make thoroughly clear what is believed to 403 | be a consequence of the rest of this License. 404 | 405 | 12. If the distribution and/or use of the Library is restricted in 406 | certain countries either by patents or by copyrighted interfaces, the 407 | original copyright holder who places the Library under this License may add 408 | an explicit geographical distribution limitation excluding those countries, 409 | so that distribution is permitted only in or among countries not thus 410 | excluded. In such case, this License incorporates the limitation as if 411 | written in the body of this License. 412 | 413 | 13. The Free Software Foundation may publish revised and/or new 414 | versions of the Lesser General Public License from time to time. 415 | Such new versions will be similar in spirit to the present version, 416 | but may differ in detail to address new problems or concerns. 417 | 418 | Each version is given a distinguishing version number. If the Library 419 | specifies a version number of this License which applies to it and 420 | "any later version", you have the option of following the terms and 421 | conditions either of that version or of any later version published by 422 | the Free Software Foundation. If the Library does not specify a 423 | license version number, you may choose any version ever published by 424 | the Free Software Foundation. 425 | 426 | 14. If you wish to incorporate parts of the Library into other free 427 | programs whose distribution conditions are incompatible with these, 428 | write to the author to ask for permission. For software which is 429 | copyrighted by the Free Software Foundation, write to the Free 430 | Software Foundation; we sometimes make exceptions for this. Our 431 | decision will be guided by the two goals of preserving the free status 432 | of all derivatives of our free software and of promoting the sharing 433 | and reuse of software generally. 434 | 435 | NO WARRANTY 436 | 437 | 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO 438 | WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. 439 | EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR 440 | OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY 441 | KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE 442 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 443 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE 444 | LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME 445 | THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 446 | 447 | 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN 448 | WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY 449 | AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU 450 | FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR 451 | CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE 452 | LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING 453 | RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A 454 | FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF 455 | SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH 456 | DAMAGES. 457 | 458 | END OF TERMS AND CONDITIONS 459 | 460 | How to Apply These Terms to Your New Libraries 461 | 462 | If you develop a new library, and you want it to be of the greatest 463 | possible use to the public, we recommend making it free software that 464 | everyone can redistribute and change. You can do so by permitting 465 | redistribution under these terms (or, alternatively, under the terms of the 466 | ordinary General Public License). 467 | 468 | To apply these terms, attach the following notices to the library. It is 469 | safest to attach them to the start of each source file to most effectively 470 | convey the exclusion of warranty; and each file should have at least the 471 | "copyright" line and a pointer to where the full notice is found. 472 | 473 | 474 | Copyright (C) 475 | 476 | This library is free software; you can redistribute it and/or 477 | modify it under the terms of the GNU Lesser General Public 478 | License as published by the Free Software Foundation; either 479 | version 2.1 of the License, or (at your option) any later version. 480 | 481 | This library is distributed in the hope that it will be useful, 482 | but WITHOUT ANY WARRANTY; without even the implied warranty of 483 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 484 | Lesser General Public License for more details. 485 | 486 | You should have received a copy of the GNU Lesser General Public 487 | License along with this library; if not, write to the Free Software 488 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 489 | 490 | Also add information on how to contact you by electronic and paper mail. 491 | 492 | You should also get your employer (if you work as a programmer) or your 493 | school, if any, to sign a "copyright disclaimer" for the library, if 494 | necessary. Here is a sample; alter the names: 495 | 496 | Yoyodyne, Inc., hereby disclaims all copyright interest in the 497 | library `Frob' (a library for tweaking knobs) written by James Random Hacker. 498 | 499 | , 1 April 1990 500 | Ty Coon, President of Vice 501 | 502 | That's all there is to it! 503 | -------------------------------------------------------------------------------- /COPYING.parse_evtx.txt: -------------------------------------------------------------------------------- 1 | == 2 | 3 | © 2018 AO Kaspersky Lab. All Rights Reserved. 4 | 5 | == 6 | 7 | Permission is hereby granted, free of charge, to any person obtaining a 8 | copy of this software and associated documentation files (the 9 | "Software"), to deal in the Software without restriction, including 10 | without limitation the rights to use, copy, modify, merge, publish, 11 | distribute, sublicense, and/or sell copies of the Software, and to 12 | permit persons to whom the Software is furnished to do so, subject to 13 | the following conditions: 14 | 15 | The above copyright notice and this permission notice shall be included 16 | in all copies or substantial portions of the Software. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 19 | OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 20 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 21 | IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY 22 | CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, 23 | TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 24 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 25 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ForensicsTools 2 | GLHF and HODL! 3 | -------------------------------------------------------------------------------- /SOURCES/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.9) 2 | 3 | project(parse_evtx) 4 | 5 | INCLUDE_DIRECTORIES(${CMAKE_SOURCE_DIR}) 6 | 7 | IF (MINGW OR WIN32 ) 8 | SET(CMAKE_EXECUTABLE_SUFFIX ".exe") 9 | SET(CMAKE_SHARED_LIBRARY_SUFFIX ".dll") 10 | SET(CMAKE_SYSTEM_NAME "Windows") 11 | SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -msse -msse2 -msse3") 12 | SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -msse -msse2 -msse3") 13 | 14 | IF ( CMAKE_BUILD_TYPE STREQUAL "Release" ) 15 | SET(OPTIMIZE_FLAGS " ${OPTIMIZE_FLAGS} -O3 -fomit-frame-pointer -D__CRT__NO_INLINE=1") 16 | ENDIF ( CMAKE_BUILD_TYPE STREQUAL "Release" ) 17 | 18 | SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${OPTIMIZE_FLAGS} -D_POSIX_THREAD_SAFE_FUNCTIONS -Wno-ignored-attributes -Wno-deprecated-declarations -static-libgcc -static-libstdc++ -std=gnu99 -DWINVER=0x0601 -D_WIN32_WINNT=0x0601") 19 | SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${OPTIMIZE_FLAGS} -D_POSIX_THREAD_SAFE_FUNCTIONS -Wno-ignored-attributes -Wno-deprecated-declarations -std=gnu++11 -static-libgcc -static-libstdc++ -DWINVER=0x0601 -D_WIN32_WINNT=0x0601 -D__STDC_FORMAT_MACROS ") 20 | 21 | ENDIF() 22 | 23 | IF ( NOT (MINGW OR WIN32 ) ) 24 | IF ( ( ${CMAKE_C_COMPILER_ID} STREQUAL "GNU" ) ) 25 | IF (CMAKE_CXX_COMPILER_VERSION VERSION_GREATER 4.5) 26 | SET(GNU_FLAGS "-Wno-address-of-packed-member -Wno-extended-offsetof -Wno-ignored-attributes -Wno-unused-result -pedantic -pedantic-errors -Werror ") 27 | ENDIF() 28 | ENDIF() 29 | 30 | IF ( ( ${CMAKE_C_COMPILER_ID} STREQUAL "Clang" ) ) 31 | SET(GNU_FLAGS "-Wno-address-of-packed-member -Wno-extended-offsetof -Wno-ignored-attributes -Wno-unused-result -pedantic -pedantic-errors -Werror ") 32 | ENDIF() 33 | 34 | SET(GNU_FLAGS "${GNU_FLAGS} -Wno-unused-function -Wno-deprecated-declarations -Wno-missing-noreturn -Wformat -Wno-variadic-macros -D__STDC_FORMAT_MACROS") 35 | 36 | SET(OPTIMIZE_FLAGS " -fstack-protector -D_FORTIFY_SOURCE=2 ") 37 | IF ( CMAKE_BUILD_TYPE STREQUAL "Release" ) 38 | SET(OPTIMIZE_FLAGS " ${OPTIMIZE_FLAGS} -O3 -msse4 -mfpmath=sse -fomit-frame-pointer") 39 | SET(OPTIMIZE_FLAGS " ${OPTIMIZE_FLAGS} -march=core2 ") 40 | ENDIF ( CMAKE_BUILD_TYPE STREQUAL "Release" ) 41 | SET( FPIC_FLAG "-fPIC" ) 42 | IF ( ${CMAKE_SYSTEM_NAME} STREQUAL "Linux") 43 | SET(GNU_FLAGS " ${GNU_FLAGS} -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -D_DEFAULT_SOURCE ") 44 | ENDIF ( ${CMAKE_SYSTEM_NAME} STREQUAL "Linux") 45 | 46 | IF ( ${CMAKE_C_COMPILER_ID} STREQUAL "GNU" ) 47 | SET(C_STD "-std=gnu99") 48 | ELSE () 49 | SET(C_STD "-std=c11") 50 | ENDIF() 51 | 52 | SET(CXX_STD "-std=c++0x") 53 | 54 | SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${OPTIMIZE_FLAGS} ${GNU_FLAGS} ${C_STD} -Wimplicit -Wimplicit-function-declaration -Wimplicit-int -Wunused-value -Wmissing-braces -Wunused-variable ${FPIC_FLAG}") 55 | SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${OPTIMIZE_FLAGS} ${GNU_FLAGS} ${CXX_STD} -fno-operator-names -Wmissing-braces -Wno-deprecated-register -fPIC") 56 | ENDIF() 57 | 58 | 59 | 60 | SET(ALL_SOURCES forensics) 61 | subdirs( ${ALL_SOURCES} ) 62 | 63 | -------------------------------------------------------------------------------- /SOURCES/forensics/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.9) 2 | 3 | add_executable(parse_evtx main_parse_evtx.cpp ) 4 | 5 | -------------------------------------------------------------------------------- /SOURCES/forensics/eventlist.h: -------------------------------------------------------------------------------- 1 | /* For part of the file: 2 | * Copyright (c) Microsoft Corporation 3 | * https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/LICENSE 4 | * CC 4.0 5 | * */ 6 | 7 | const char *eventDescriptions[] = { 8 | "1100(S) The event logging service has shut down. (Windows 10)", 9 | "1102(S) The audit log was cleared. (Windows 10)", 10 | "1104(S) The security log is now full. (Windows 10)", 11 | "1105(S) Event log automatic backup. (Windows 10)", 12 | "1108(S) The event logging service encountered an error while processing an incoming event published from . (Windows 10)", 13 | "4608(S) Windows is starting up. (Windows 10)", 14 | "4610(S) An authentication package has been loaded by the Local Security Authority. (Windows 10)", 15 | "4611(S) A trusted logon process has been registered with the Local Security Authority. (Windows 10)", 16 | "4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. (Windows 10)", 17 | "4614(S) A notification package has been loaded by the Security Account Manager. (Windows 10)", 18 | "4615(S) Invalid use of LPC port. (Windows 10)", 19 | "4616(S) The system time was changed. (Windows 10)", 20 | "4618(S) A monitored security event pattern has occurred. (Windows 10)", 21 | "4621(S) Administrator recovered system from CrashOnAuditFail. (Windows 10)", 22 | "4622(S) A security package has been loaded by the Local Security Authority. (Windows 10)", 23 | "4624(S) An account was successfully logged on. (Windows 10)", 24 | "4625(F) An account failed to log on. (Windows 10)", 25 | "4626(S) User/Device claims information. (Windows 10)", 26 | "4627(S) Group membership information. (Windows 10)", 27 | "4634(S) An account was logged off. (Windows 10)", 28 | "4647(S) User initiated logoff. (Windows 10)", 29 | "4648(S) A logon was attempted using explicit credentials. (Windows 10)", 30 | "4649(S) A replay attack was detected. (Windows 10)", 31 | "4656(S, F) A handle to an object was requested. (Windows 10)", 32 | "4657(S) A registry value was modified. (Windows 10)", 33 | "4658(S) The handle to an object was closed. (Windows 10)", 34 | "4660(S) An object was deleted. (Windows 10)", 35 | "4661(S, F) A handle to an object was requested. (Windows 10)", 36 | "4662(S, F) An operation was performed on an object. (Windows 10)", 37 | "4663(S) An attempt was made to access an object. (Windows 10)", 38 | "4664(S) An attempt was made to create a hard link. (Windows 10)", 39 | "4670(S) Permissions on an object were changed. (Windows 10)", 40 | "4671(-) An application attempted to access a blocked ordinal through the TBS. (Windows 10)", 41 | "4672(S) Special privileges assigned to new logon. (Windows 10)", 42 | "4673(S, F) A privileged service was called. (Windows 10)", 43 | "4674(S, F) An operation was attempted on a privileged object. (Windows 10)", 44 | "4675(S) SIDs were filtered. (Windows 10)", 45 | "4688(S) A new process has been created. (Windows 10)", 46 | "4689(S) A process has exited. (Windows 10)", 47 | "4690(S) An attempt was made to duplicate a handle to an object. (Windows 10)", 48 | "4691(S) Indirect access to an object was requested. (Windows 10)", 49 | "4692(S, F) Backup of data protection master key was attempted. (Windows 10)", 50 | "4693(S, F) Recovery of data protection master key was attempted. (Windows 10)", 51 | "4694(S, F) Protection of auditable protected data was attempted. (Windows 10)", 52 | "4695(S, F) Unprotection of auditable protected data was attempted. (Windows 10)", 53 | "4696(S) A primary token was assigned to process. (Windows 10)", 54 | "4697(S) A service was installed in the system. (Windows 10)", 55 | "4698(S) A scheduled task was created. (Windows 10)", 56 | "4699(S) A scheduled task was deleted. (Windows 10)", 57 | "4700(S) A scheduled task was enabled. (Windows 10)", 58 | "4701(S) A scheduled task was disabled. (Windows 10)", 59 | "4702(S) A scheduled task was updated. (Windows 10)", 60 | "4703(S) A user right was adjusted. (Windows 10)", 61 | "4704(S) A user right was assigned. (Windows 10)", 62 | "4705(S) A user right was removed. (Windows 10)", 63 | "4706(S) A new trust was created to a domain. (Windows 10)", 64 | "4707(S) A trust to a domain was removed. (Windows 10)", 65 | "4713(S) Kerberos policy was changed. (Windows 10)", 66 | "4714(S) Encrypted data recovery policy was changed. (Windows 10)", 67 | "4715(S) The audit policy (SACL) on an object was changed. (Windows 10)", 68 | "4716(S) Trusted domain information was modified. (Windows 10)", 69 | "4717(S) System security access was granted to an account. (Windows 10)", 70 | "4718(S) System security access was removed from an account. (Windows 10)", 71 | "4719(S) System audit policy was changed. (Windows 10)", 72 | "4720(S) A user account was created. (Windows 10)", 73 | "4722(S) A user account was enabled. (Windows 10)", 74 | "4723(S, F) An attempt was made to change an account's password. (Windows 10)", 75 | "4724(S, F) An attempt was made to reset an account's password. (Windows 10)", 76 | "4725(S) A user account was disabled. (Windows 10)", 77 | "4726(S) A user account was deleted. (Windows 10)", 78 | "4731(S) A security-enabled local group was created. (Windows 10)", 79 | "4732(S) A member was added to a security-enabled local group. (Windows 10)", 80 | "4733(S) A member was removed from a security-enabled local group. (Windows 10)", 81 | "4734(S) A security-enabled local group was deleted. (Windows 10)", 82 | "4735(S) A security-enabled local group was changed. (Windows 10)", 83 | "4738(S) A user account was changed. (Windows 10)", 84 | "4739(S) Domain Policy was changed. (Windows 10)", 85 | "4740(S) A user account was locked out. (Windows 10)", 86 | "4741(S) A computer account was created. (Windows 10)", 87 | "4742(S) A computer account was changed. (Windows 10)", 88 | "4743(S) A computer account was deleted. (Windows 10)", 89 | "4749(S) A security-disabled global group was created. (Windows 10)", 90 | "4750(S) A security-disabled global group was changed. (Windows 10)", 91 | "4751(S) A member was added to a security-disabled global group. (Windows 10)", 92 | "4752(S) A member was removed from a security-disabled global group. (Windows 10)", 93 | "4753(S) A security-disabled global group was deleted. (Windows 10)", 94 | "4764(S) A group's type was changed. (Windows 10)", 95 | "4765(S) SID History was added to an account. (Windows 10)", 96 | "4766(F) An attempt to add SID History to an account failed. (Windows 10)", 97 | "4767(S) A user account was unlocked. (Windows 10)", 98 | "4768(S, F) A Kerberos authentication ticket (TGT) was requested. (Windows 10)", 99 | "4769(S, F) A Kerberos service ticket was requested. (Windows 10)", 100 | "4770(S) A Kerberos service ticket was renewed. (Windows 10)", 101 | "4771(F) Kerberos pre-authentication failed. (Windows 10)", 102 | "4772(F) A Kerberos authentication ticket request failed. (Windows 10)", 103 | "4773(F) A Kerberos service ticket request failed. (Windows 10)", 104 | "4774(S, F) An account was mapped for logon. (Windows 10)", 105 | "4775(F) An account could not be mapped for logon. (Windows 10)", 106 | "4776(S, F) The computer attempted to validate the credentials for an account. (Windows 10)", 107 | "4777(F) The domain controller failed to validate the credentials for an account. (Windows 10)", 108 | "4778(S) A session was reconnected to a Window Station. (Windows 10)", 109 | "4779(S) A session was disconnected from a Window Station. (Windows 10)", 110 | "4780(S) The ACL was set on accounts which are members of administrators groups. (Windows 10)", 111 | "4781(S) The name of an account was changed. (Windows 10)", 112 | "4782(S) The password hash an account was accessed. (Windows 10)", 113 | "4793(S) The Password Policy Checking API was called. (Windows 10)", 114 | "4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. (Windows 10)", 115 | "4798(S) A user's local group membership was enumerated. (Windows 10)", 116 | "4799(S) A security-enabled local group membership was enumerated. (Windows 10)", 117 | "4800(S) The workstation was locked. (Windows 10)", 118 | "4801(S) The workstation was unlocked. (Windows 10)", 119 | "4802(S) The screen saver was invoked. (Windows 10)", 120 | "4803(S) The screen saver was dismissed. (Windows 10)", 121 | "4816(S) RPC detected an integrity violation while decrypting an incoming message. (Windows 10)", 122 | "4817(S) Auditing settings on object were changed. (Windows 10)", 123 | "4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. (Windows 10)", 124 | "4819(S) Central Access Policies on the machine have been changed. (Windows 10)", 125 | "4826(S) Boot Configuration Data loaded. (Windows 10)", 126 | "4864(S) A namespace collision was detected. (Windows 10)", 127 | "4865(S) A trusted forest information entry was added. (Windows 10)", 128 | "4866(S) A trusted forest information entry was removed. (Windows 10)", 129 | "4867(S) A trusted forest information entry was modified. (Windows 10)", 130 | "4902(S) The Per-user audit policy table was created. (Windows 10)", 131 | "4904(S) An attempt was made to register a security event source. (Windows 10)", 132 | "4905(S) An attempt was made to unregister a security event source. (Windows 10)", 133 | "4906(S) The CrashOnAuditFail value has changed. (Windows 10)", 134 | "4907(S) Auditing settings on object were changed. (Windows 10)", 135 | "4908(S) Special Groups Logon table modified. (Windows 10)", 136 | "4909(-) The local policy settings for the TBS were changed. (Windows 10)", 137 | "4910(-) The group policy settings for the TBS were changed. (Windows 10)", 138 | "4911(S) Resource attributes of the object were changed. (Windows 10)", 139 | "4912(S) Per User Audit Policy was changed. (Windows 10)", 140 | "4913(S) Central Access Policy on the object was changed. (Windows 10)", 141 | "4928(S, F) An Active Directory replica source naming context was established. (Windows 10)", 142 | "4929(S, F) An Active Directory replica source naming context was removed. (Windows 10)", 143 | "4930(S, F) An Active Directory replica source naming context was modified. (Windows 10)", 144 | "4931(S, F) An Active Directory replica destination naming context was modified. (Windows 10)", 145 | "4932(S) Synchronization of a replica of an Active Directory naming context has begun. (Windows 10)", 146 | "4933(S, F) Synchronization of a replica of an Active Directory naming context has ended. (Windows 10)", 147 | "4934(S) Attributes of an Active Directory object were replicated. (Windows 10)", 148 | "4935(F) Replication failure begins. (Windows 10)", 149 | "4936(S) Replication failure ends. (Windows 10)", 150 | "4937(S) A lingering object was removed from a replica. (Windows 10)", 151 | "4944(S) The following policy was active when the Windows Firewall started. (Windows 10)", 152 | "4945(S) A rule was listed when the Windows Firewall started. (Windows 10)", 153 | "4946(S) A change has been made to Windows Firewall exception list. A rule was added. (Windows 10)", 154 | "4947(S) A change has been made to Windows Firewall exception list. A rule was modified. (Windows 10)", 155 | "4948(S) A change has been made to Windows Firewall exception list. A rule was deleted. (Windows 10)", 156 | "4949(S) Windows Firewall settings were restored to the default values. (Windows 10)", 157 | "4950(S) A Windows Firewall setting has changed. (Windows 10)", 158 | "4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. (Windows 10)", 159 | "4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. (Windows 10)", 160 | "4953(F) Windows Firewall ignored a rule because it could not be parsed. (Windows 10)", 161 | "4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied. (Windows 10)", 162 | "4956(S) Windows Firewall has changed the active profile. (Windows 10)", 163 | "4957(F) Windows Firewall did not apply the following rule. (Windows 10)", 164 | "4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. (Windows 10)", 165 | "4964(S) Special groups have been assigned to a new logon. (Windows 10)", 166 | "4985(S) The state of a transaction has changed. (Windows 10)", 167 | "5024(S) The Windows Firewall Service has started successfully. (Windows 10)", 168 | "5025(S) The Windows Firewall Service has been stopped. (Windows 10)", 169 | "5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. (Windows 10)", 170 | "5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. (Windows 10)", 171 | "5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. (Windows 10)", 172 | "5030(F) The Windows Firewall Service failed to start. (Windows 10)", 173 | "5031(F) The Windows Firewall Service blocked an application from accepting incoming connections on the network. (Windows 10)", 174 | "5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. (Windows 10)", 175 | "5033(S) The Windows Firewall Driver has started successfully. (Windows 10)", 176 | "5034(S) The Windows Firewall Driver was stopped. (Windows 10)", 177 | "5035(F) The Windows Firewall Driver failed to start. (Windows 10)", 178 | "5037(F) The Windows Firewall Driver detected critical runtime error. Terminating. (Windows 10)", 179 | "5038(F) Code integrity determined that the image hash of a file is not valid. (Windows 10)", 180 | "5039(-) A registry key was virtualized. (Windows 10)", 181 | "5051(-) A file was virtualized. (Windows 10)", 182 | "5056(S) A cryptographic self-test was performed. (Windows 10)", 183 | "5057(F) A cryptographic primitive operation failed. (Windows 10)", 184 | "5058(S, F) Key file operation. (Windows 10)", 185 | "5059(S, F) Key migration operation. (Windows 10)", 186 | "5060(F) Verification operation failed. (Windows 10)", 187 | "5061(S, F) Cryptographic operation. (Windows 10)", 188 | "5062(S) A kernel-mode cryptographic self-test was performed. (Windows 10)", 189 | "5063(S, F) A cryptographic provider operation was attempted. (Windows 10)", 190 | "5064(S, F) A cryptographic context operation was attempted. (Windows 10)", 191 | "5065(S, F) A cryptographic context modification was attempted. (Windows 10)", 192 | "5066(S, F) A cryptographic function operation was attempted. (Windows 10)", 193 | "5067(S, F) A cryptographic function modification was attempted. (Windows 10)", 194 | "5068(S, F) A cryptographic function provider operation was attempted. (Windows 10)", 195 | "5069(S, F) A cryptographic function property operation was attempted. (Windows 10)", 196 | "5070(S, F) A cryptographic function property modification was attempted. (Windows 10)", 197 | "5136(S) A directory service object was modified. (Windows 10)", 198 | "5137(S) A directory service object was created. (Windows 10)", 199 | "5138(S) A directory service object was undeleted. (Windows 10)", 200 | "5139(S) A directory service object was moved. (Windows 10)", 201 | "5140(S, F) A network share object was accessed. (Windows 10)", 202 | "5141(S) A directory service object was deleted. (Windows 10)", 203 | "5142(S) A network share object was added. (Windows 10)", 204 | "5143(S) A network share object was modified. (Windows 10)", 205 | "5144(S) A network share object was deleted. (Windows 10)", 206 | "5145(S, F) A network share object was checked to see whether client can be granted desired access. (Windows 10)", 207 | "5148(F) The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. (Windows 10)", 208 | "5149(F) The DoS attack has subsided and normal processing is being resumed. (Windows 10)", 209 | "5150(-) The Windows Filtering Platform blocked a packet. (Windows 10)", 210 | "5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10)", 211 | "5152(F) The Windows Filtering Platform blocked a packet. (Windows 10)", 212 | "5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10)", 213 | "5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. (Windows 10)", 214 | "5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. (Windows 10)", 215 | "5156(S) The Windows Filtering Platform has permitted a connection. (Windows 10)", 216 | "5157(F) The Windows Filtering Platform has blocked a connection. (Windows 10)", 217 | "5158(S) The Windows Filtering Platform has permitted a bind to a local port. (Windows 10)", 218 | "5159(F) The Windows Filtering Platform has blocked a bind to a local port. (Windows 10)", 219 | "5168(F) SPN check for SMB/SMB2 failed. (Windows 10)", 220 | "5376(S) Credential Manager credentials were backed up. (Windows 10)", 221 | "5377(S) Credential Manager credentials were restored from a backup. (Windows 10)", 222 | "5378(F) The requested credentials delegation was disallowed by policy. (Windows 10)", 223 | "5447(S) A Windows Filtering Platform filter has been changed. (Windows 10)", 224 | "5632(S, F) A request was made to authenticate to a wireless network. (Windows 10)", 225 | "5633(S, F) A request was made to authenticate to a wired network. (Windows 10)", 226 | "5712(S) A Remote Procedure Call (RPC) was attempted. (Windows 10)", 227 | "5888(S) An object in the COM+ Catalog was modified. (Windows 10)", 228 | "5889(S) An object was deleted from the COM+ Catalog. (Windows 10)", 229 | "5890(S) An object was added to the COM+ Catalog. (Windows 10)", 230 | "6144(S) Security policy in the group policy objects has been applied successfully. (Windows 10)", 231 | "6145(F) One or more errors occurred while processing security policy in the group policy objects. (Windows 10)", 232 | "6281(F) Code Integrity determined that the page hashes of an image file are not valid. (Windows 10)", 233 | "6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. (Windows 10)", 234 | "6401(-) BranchCache Received invalid data from a peer. Data discarded. (Windows 10)", 235 | "6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. (Windows 10)", 236 | "6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. (Windows 10)", 237 | "6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. (Windows 10)", 238 | "6405(-) BranchCache %2 instance(s) of event id %1 occurred. (Windows 10)", 239 | "6406(-) %1 registered to Windows Firewall to control filtering for the following %2. (Windows 10)", 240 | "6407(-) 1%. (Windows 10)", 241 | "6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. (Windows 10)", 242 | "6409(-) BranchCache A service connection point object could not be parsed. (Windows 10)", 243 | "6410(F) Code integrity determined that a file does not meet the security requirements to load into a process. (Windows 10)", 244 | "6416(S) A new external device was recognized by the System. (Windows 10)", 245 | "6419(S) A request was made to disable a device. (Windows 10)", 246 | "6420(S) A device was disabled. (Windows 10)", 247 | "6421(S) A request was made to enable a device. (Windows 10)", 248 | "6422(S) A device was enabled. (Windows 10)", 249 | "6423(S) The installation of this device is forbidden by system policy. (Windows 10)", 250 | "6424(S) The installation of this device was allowed, after having previously been forbidden by policy. (Windows 10)", 251 | "7009(S) Timeout waiting for the service to connect.", 252 | "7036(S) The service entered the new state.", 253 | "7045(S) A service was installed in the system.", 254 | "10009(S) DCOM was unable to communicate with the computer using any of the configured protocols.", 255 | "1204(S) Drive array accelerator status change.", 256 | "4227(S) TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint.", 257 | "1111(S) Driver required for printer is unknown. Contact the administrator to install the driver before you log in again.", 258 | "7001(S) The service depends on the service which failed to start because of the following error:", 259 | "1503(S) The Group Policy settings for the user were processed successfully. New settings from %6 Group Policy objects were detected and applied.", 260 | "5807(S) During the past hours there have been connections to this Domain Controller from client machines whose IP addresses don’t map to any of the existing sites in the enterprise.", 261 | }; 262 | 263 | -------------------------------------------------------------------------------- /SOURCES/forensics/main_parse_evtx.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * ===================================================================================== 3 | * Filename: parse_evtx.cpp 4 | * Description: Parse EVTX format files 5 | * Created: 09.01.2018 16:59:43 6 | * Author: Igor Soumenkov (igosha), igosha@kaspersky.com 7 | * ===================================================================================== 8 | */ 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include "eventlist.h" 19 | 20 | // #define PRINT_TAGS 21 | 22 | #include 23 | 24 | #pragma pack(push, 1) 25 | 26 | #define EVTX_HEADER_MAGIC "ElfFile" 27 | 28 | typedef struct 29 | { 30 | char magic[8]; 31 | uint64_t numberOfChunksAllocated; 32 | uint64_t numberOfChunksUsed; 33 | uint64_t checksum; 34 | uint32_t flags; 35 | uint32_t version; 36 | uint64_t fileSize; 37 | uint8_t reserved[0x1000 - 0x30]; 38 | } 39 | EvtxHeader; 40 | 41 | #define EVTX_CHUNK_HEADER_MAGIC "ElfChnk" 42 | 43 | typedef struct 44 | { 45 | char magic[8]; 46 | uint64_t firstRecordNumber; 47 | uint64_t lastRecordNumber; 48 | uint64_t firstRecordNumber2; 49 | uint64_t lastRecordNumber2; 50 | uint32_t chunkHeaderSize; 51 | uint8_t reserved[0x80 - 0x2C]; 52 | uint8_t reserved2[0x200 - 0x80]; 53 | } 54 | EvtxChunkHeader; 55 | 56 | #define EVTX_CHUNK_SIZE 0x10000 57 | 58 | typedef struct 59 | { 60 | uint32_t magic; 61 | uint32_t size; 62 | uint64_t number; 63 | uint64_t timestamp; 64 | } 65 | EvtxRecordHeader; 66 | 67 | 68 | typedef struct 69 | { 70 | uint32_t d1; 71 | uint16_t w1; 72 | uint16_t w2; 73 | uint8_t b1[8]; 74 | } 75 | EvtxGUID; 76 | #pragma pack(pop) 77 | 78 | typedef enum 79 | { 80 | StateNormal = 1, 81 | StateInAttribute = 2, 82 | } 83 | XmlParseState; 84 | 85 | typedef struct sParseContext 86 | { 87 | sParseContext* chunkContext; 88 | const uint8_t* data; 89 | size_t dataLen; 90 | size_t offset; 91 | size_t offsetFromChunkStart; 92 | XmlParseState state; 93 | unsigned int currentTemplateIdx; 94 | char cachedValue[256]; 95 | } 96 | ParseContext; 97 | 98 | static bool ParseBinXml(ParseContext* ctx, size_t inFileOffset); 99 | 100 | static bool HaveEnoughData(ParseContext* ctx, size_t numBytes) 101 | { 102 | return ( ctx->offset + numBytes <= ctx->dataLen ); 103 | } 104 | 105 | static void SkipBytes(ParseContext* ctx, size_t numBytes) 106 | { 107 | ctx->offset += numBytes; 108 | } 109 | 110 | template 111 | static bool ReadData(ParseContext* ctx, c* result, size_t count = 1) 112 | { 113 | if ( !HaveEnoughData(ctx, sizeof(*result) * count) ) 114 | return false; 115 | for (size_t idx = 0; idx < count; idx++) 116 | { 117 | result[idx] = *(c*)(ctx->data + ctx->offset); 118 | ctx->offset += sizeof(*result); 119 | } 120 | return true; 121 | } 122 | 123 | #define MAX_IDS 256 124 | #define MAX_NUM_ARGS 256 125 | #define INVALID_TEMPLATE_IDX ((unsigned int)-1) 126 | 127 | typedef struct sTemplateArgPair 128 | { 129 | sTemplateArgPair* next; 130 | char* key; 131 | uint16_t type; 132 | uint16_t argIdx; 133 | } 134 | TemplateArgPair; 135 | 136 | typedef struct sTemplateFixedPair 137 | { 138 | sTemplateFixedPair* next; 139 | char* key; 140 | char* value; 141 | } 142 | TemplateFixedPair; 143 | 144 | typedef struct 145 | { 146 | uint32_t shortID; 147 | TemplateFixedPair fixedRoot; 148 | TemplateArgPair argsRoot; 149 | } 150 | TemplateDescription; 151 | 152 | template 153 | static void InitRoot(c* root) 154 | { 155 | root->next = NULL; 156 | } 157 | 158 | template 159 | static c* AddPair(c* root) 160 | { 161 | c* item = (c*)malloc(sizeof(c)); 162 | if ( item != NULL ) 163 | { 164 | item->next = root->next; 165 | root->next = item; 166 | } 167 | return item; 168 | } 169 | 170 | static void FreePair(TemplateFixedPair* item) 171 | { 172 | free(item->key); 173 | free(item->value); 174 | free(item); 175 | } 176 | 177 | static void FreePair(TemplateArgPair* item) 178 | { 179 | free(item->key); 180 | free(item); 181 | } 182 | 183 | template 184 | static void ResetRoot(c* root) 185 | { 186 | c* nextItem = NULL; 187 | 188 | for (c* ptr = root->next; ptr != NULL; ptr = nextItem) 189 | { 190 | nextItem = ptr->next; 191 | FreePair(ptr); 192 | } 193 | 194 | root->next = NULL; 195 | } 196 | 197 | static void InitTemplateDescription(TemplateDescription* item) 198 | { 199 | InitRoot(&item->fixedRoot); 200 | InitRoot(&item->argsRoot); 201 | item->shortID = 0; 202 | } 203 | 204 | static void ResetTemplateDescription(TemplateDescription* item) 205 | { 206 | ResetRoot(&item->fixedRoot); 207 | ResetRoot(&item->argsRoot); 208 | item->shortID = 0; 209 | } 210 | 211 | static uint32_t knownIDs[MAX_IDS] = { 0 }; 212 | static TemplateDescription templates[MAX_IDS]; 213 | static unsigned int numIDs = 0; 214 | 215 | #define MAX_NAME_STACK_DEPTH 20 216 | #define INVALID_STACK_DEPTH ((ssize_t)-1) 217 | 218 | typedef struct 219 | { 220 | char name[256]; 221 | } 222 | NameStackElement; 223 | 224 | 225 | #define countof(arr) ( sizeof(arr) / sizeof(*arr) ) 226 | 227 | static void InitTemplates(void) 228 | { 229 | for (size_t idx = 0; idx < countof(templates); idx++) 230 | InitTemplateDescription(&templates[idx]); 231 | } 232 | 233 | static ssize_t nameStackPtr = INVALID_STACK_DEPTH; 234 | static NameStackElement nameStack[MAX_NAME_STACK_DEPTH]; 235 | 236 | const char** eventDescriptionHashTable = NULL; 237 | const char* logonTypes[] = { NULL, NULL, "Interactive", "Network", "Batch", "Service", NULL, "Unlock", "NetworkCleartext", "NewCredentials", "RemoteInteractive", "CachedInteractive"}; 238 | 239 | static void RegisterFixedPair(unsigned int templateIdx, const char* key, const char* value) 240 | { 241 | TemplateFixedPair* newPair = AddPair(&templates[templateIdx].fixedRoot); 242 | if ( newPair == NULL ) 243 | return; 244 | newPair->key = strdup(key); 245 | newPair->value = strdup(value); 246 | } 247 | 248 | 249 | static void RegisterArgPair(unsigned int templateIdx, const char* key, uint16_t type, uint16_t argIdx) 250 | { 251 | TemplateArgPair* newPair = AddPair(&templates[templateIdx].argsRoot); 252 | if ( newPair == NULL ) 253 | return; 254 | // broken record 3420028194 (security.evtx) 255 | newPair->key = strdup(key == NULL ? "" : key); 256 | newPair->type = type; 257 | newPair->argIdx = argIdx; 258 | } 259 | 260 | 261 | static void PushName(const char* name) 262 | { 263 | if ( nameStackPtr >= MAX_NAME_STACK_DEPTH ) 264 | return; 265 | nameStackPtr++; 266 | strncpy(nameStack[nameStackPtr].name, name, sizeof(nameStack[nameStackPtr].name)); 267 | nameStack[nameStackPtr].name[ sizeof(nameStack[nameStackPtr].name) - 1 ] = 0; 268 | } 269 | 270 | static void PopName(void) 271 | { 272 | if ( nameStackPtr > INVALID_STACK_DEPTH ) 273 | nameStackPtr--; 274 | } 275 | 276 | static const char* GetName(void) 277 | { 278 | if ( nameStackPtr <= INVALID_STACK_DEPTH ) 279 | return NULL; 280 | return nameStack[nameStackPtr].name; 281 | } 282 | 283 | 284 | static const char* GetUpperName(void) 285 | { 286 | if ( nameStackPtr <= INVALID_STACK_DEPTH ) 287 | return NULL; 288 | if ( nameStackPtr < 1 ) 289 | return NULL; 290 | 291 | return nameStack[nameStackPtr - 1].name; 292 | } 293 | 294 | static bool IsKnownID(uint32_t id, unsigned int* templateIdx) 295 | { 296 | for (unsigned int idx = 0; idx < numIDs; idx++) 297 | { 298 | if ( knownIDs[idx] == id ) 299 | { 300 | if ( templateIdx != NULL ) 301 | *templateIdx = idx; 302 | return true; 303 | } 304 | } 305 | return false; 306 | } 307 | 308 | static bool RegisterID(uint32_t id, unsigned int* templateIdx) 309 | { 310 | if ( numIDs >= MAX_IDS ) 311 | return false; 312 | knownIDs[numIDs] = id; 313 | templates[numIDs].shortID = id; 314 | *templateIdx = numIDs; 315 | numIDs++; 316 | return true; 317 | } 318 | 319 | static void ResetTemplates(void) 320 | { 321 | for (size_t idx = 0; idx < numIDs; idx++) 322 | ResetTemplateDescription(&templates[idx]); 323 | 324 | numIDs = 0; 325 | } 326 | 327 | static void SetState(ParseContext* ctx, XmlParseState newState) 328 | { 329 | if ( newState == ctx->state ) 330 | return; 331 | 332 | if ( ctx->state == StateInAttribute ) 333 | PopName(); 334 | 335 | ctx->state = newState; 336 | } 337 | 338 | static void UTF16ToUTF8(uint16_t w, char* buffer, size_t* bufferUsed, size_t bufferSize) 339 | { 340 | uint32_t charLength = 1; 341 | uint8_t msb = 0; 342 | uint8_t mask = 0; 343 | 344 | if ( w > 0x7F ) 345 | { 346 | charLength++; 347 | msb |= 0x80 + 0x40; 348 | mask = 0xFF; 349 | } 350 | if ( w > 0x7FF ) 351 | { 352 | charLength++; 353 | msb |= 0x20; 354 | mask = 0x1F; 355 | } 356 | if ( w > 0xFFFF ) 357 | { 358 | charLength++; 359 | msb |= 0x10; 360 | mask = 0x0F; 361 | } 362 | 363 | if ( *bufferUsed + charLength >= bufferSize ) 364 | return; /* no buffer overruns */ 365 | 366 | if ( charLength == 1 ) 367 | { 368 | buffer[*bufferUsed] = w; 369 | (*bufferUsed)++; 370 | return; 371 | } 372 | 373 | // printf("\n%04X -> ", (uint16_t)w); 374 | 375 | for (uint32_t charIndex = charLength - 1; charIndex > 0; charIndex--) 376 | { 377 | buffer[*bufferUsed + charIndex] = 0x80 | ( w & 0x3F ); 378 | // printf(" ... [%X] %02X ", charIndex, buffer[*bufferUsed + charIndex]); 379 | w >>= 6; 380 | } 381 | 382 | buffer[*bufferUsed] = msb | ( w & mask ); 383 | 384 | #if 0 385 | for (uint32_t idx = 0; idx < charLength; idx++) 386 | printf("%02X ", (uint8_t)buffer[*bufferUsed + idx]); 387 | printf("\n"); 388 | #endif 389 | 390 | *bufferUsed += charLength; 391 | } 392 | 393 | static bool ReadPrefixedUnicodeString(ParseContext* ctx, char* nameBuffer, size_t nameBufferSize, bool isNullTerminated) 394 | { 395 | uint16_t nameCharCnt; 396 | size_t nameBufferUsed = 0; 397 | size_t idx = 0; 398 | 399 | if ( !ReadData(ctx, &nameCharCnt) ) 400 | return false; 401 | 402 | // TODO : convert UTF-16 to UTF-8 403 | for (idx = 0; idx < nameCharCnt && idx*2 < ( nameBufferSize - 1 ) ; idx ++) 404 | { 405 | uint16_t w; 406 | 407 | if ( !ReadData(ctx, &w) ) 408 | return false; 409 | UTF16ToUTF8(w, nameBuffer, &nameBufferUsed, nameBufferSize); 410 | } 411 | 412 | if ( nameBufferUsed >= nameBufferSize ) 413 | nameBufferUsed = nameBufferSize - 1; 414 | nameBuffer[nameBufferUsed] = 0; 415 | 416 | SkipBytes(ctx, (nameCharCnt - idx + ( isNullTerminated ? 1 : 0 ))*2); 417 | 418 | return true; 419 | } 420 | 421 | static bool ReadName(ParseContext* ctx, char* nameBuffer, size_t nameBufferSize) 422 | { 423 | uint16_t nameHash; 424 | uint32_t chunkOffset; 425 | uint32_t d; 426 | ParseContext temporaryCtx(*ctx->chunkContext); 427 | ParseContext* ctxPtr = ctx; 428 | 429 | if ( nameBufferSize < 2 ) 430 | return false; 431 | nameBuffer[0] = 0; 432 | if ( !ReadData(ctx, &chunkOffset) ) 433 | return false; 434 | if ( ctx->offset + ctx->offsetFromChunkStart != chunkOffset ) 435 | { 436 | // printf("!!!!!! %08X %08X\n", chunkOffset, (uint32_t)(ctx->offset + ctx->offsetFromChunkStart)); 437 | ctxPtr = &temporaryCtx; 438 | ctxPtr->offset = chunkOffset; 439 | } 440 | 441 | if ( !ReadData(ctxPtr, &d) ) 442 | return false; 443 | if ( !ReadData(ctxPtr, &nameHash) ) 444 | return false; 445 | if ( !ReadPrefixedUnicodeString(ctxPtr, nameBuffer, nameBufferSize, true) ) 446 | return false; 447 | 448 | return true; 449 | } 450 | 451 | static const char* GetProperKeyName(ParseContext* ctx) 452 | { 453 | const char* key; 454 | const char* upperName; 455 | 456 | key = GetName(); 457 | 458 | // printf("Key: %s Upper: %s\n", key, GetUpperName()); 459 | 460 | upperName = GetUpperName(); 461 | 462 | if ( ( upperName != NULL ) && 463 | !strcmp(key, "Data") && 464 | !strcmp(upperName, "EventData") && 465 | ctx->cachedValue[0] != 0 ) 466 | { 467 | key = ctx->cachedValue; 468 | } 469 | 470 | return key; 471 | } 472 | 473 | static bool ParseValueText(ParseContext* ctx) 474 | { 475 | uint8_t stringType; 476 | char valueBuffer[256]; 477 | const char* upperName; 478 | const char* key; 479 | 480 | if ( !ReadData(ctx, &stringType) ) 481 | return false; 482 | if ( !ReadPrefixedUnicodeString(ctx, valueBuffer, sizeof(valueBuffer), false) ) 483 | return false; 484 | // printf("******* %s=%s", GetName(), valueBuffer); 485 | 486 | key = GetProperKeyName(ctx); 487 | upperName = GetUpperName(); 488 | 489 | if ( ( key != NULL ) && 490 | ( ( upperName == NULL ) || 491 | strcmp(key, "Name") || 492 | strcmp(GetUpperName(), "Data") ) ) 493 | { 494 | RegisterFixedPair(ctx->currentTemplateIdx, key, valueBuffer); 495 | } 496 | 497 | SetState(ctx, StateNormal); 498 | 499 | strncpy(ctx->cachedValue, valueBuffer, sizeof(valueBuffer)); 500 | ctx->cachedValue[sizeof(ctx->cachedValue)-1] = 0; 501 | 502 | return true; 503 | } 504 | 505 | static bool ParseAttributes(ParseContext* ctx) 506 | { 507 | char nameBuffer[256]; 508 | 509 | if ( !ReadName(ctx, nameBuffer, sizeof(nameBuffer)) ) 510 | return false; 511 | // printf(" %s", nameBuffer); 512 | 513 | PushName(nameBuffer); 514 | SetState(ctx, StateInAttribute); 515 | 516 | return true; 517 | } 518 | 519 | static bool ParseOpenStartElement(ParseContext* ctx, bool hasAttributes) 520 | { 521 | uint8_t b; 522 | uint16_t w; 523 | uint32_t elementLength; 524 | uint32_t attributeListLength = 0; 525 | char nameBuffer[256]; 526 | 527 | if ( !ReadData(ctx, &w) ) 528 | return false; 529 | if ( !ReadData(ctx, &elementLength) ) 530 | return false; 531 | if ( !ReadName(ctx, nameBuffer, sizeof(nameBuffer)) ) 532 | return false; 533 | if ( hasAttributes ) 534 | { 535 | if ( !ReadData(ctx, &attributeListLength) ) 536 | return false; 537 | } 538 | #ifdef PRINT_TAGS 539 | printf("<%s [%08X] ", nameBuffer, attributeListLength); 540 | fflush(stdout); 541 | #endif 542 | 543 | PushName(nameBuffer); 544 | 545 | return true; 546 | } 547 | 548 | static bool ParseCloseStartElement(ParseContext* ctx) 549 | { 550 | SetState(ctx, StateNormal); 551 | #ifdef PRINT_TAGS 552 | printf(">"); 553 | fflush(stdout); 554 | #endif 555 | return true; 556 | } 557 | 558 | static bool ParseCloseElement(ParseContext* ctx) 559 | { 560 | SetState(ctx, StateNormal); 561 | PopName(); 562 | 563 | #ifdef PRINT_TAGS 564 | printf(""); 565 | fflush(stdout); 566 | #endif 567 | return true; 568 | } 569 | 570 | static void DumpTemplateContents(ParseContext* ctx, unsigned int templateIdx) 571 | { 572 | return ; 573 | 574 | printf("********************* TEMPLATE BEGIN ************************\n"); 575 | printf("Short ID: %08X\n", templates[templateIdx].shortID); 576 | for ( TemplateFixedPair* ptr = templates[templateIdx].fixedRoot.next; ptr != NULL; ptr = ptr->next ) 577 | { 578 | printf(" %s = %s\n", ptr->key, ptr->value); 579 | } 580 | for ( TemplateArgPair* ptr = templates[templateIdx].argsRoot.next; ptr != NULL; ptr = ptr->next ) 581 | { 582 | printf(" %s { arg %04X type %04X } \n", ptr->key, ptr->argIdx, ptr->type); 583 | } 584 | printf("********************* TEMPLATE END ************************\n"); 585 | } 586 | 587 | static bool ParseTemplateInstance(ParseContext* ctx) 588 | { 589 | uint8_t b; 590 | uint32_t numArguments; 591 | uint32_t shortID; 592 | uint32_t tempResLen; 593 | uint32_t totalArgLen = 0; 594 | 595 | if ( !ReadData(ctx, &b) ) 596 | return false; 597 | if ( b != 0x01 ) 598 | return false; 599 | if ( !ReadData(ctx, &shortID) ) 600 | return false; 601 | if ( !ReadData(ctx, &tempResLen) ) 602 | return false; 603 | if ( !ReadData(ctx, &numArguments) ) 604 | return false; 605 | 606 | // printf("OK, template %08X\n", shortID); 607 | 608 | if ( !IsKnownID(shortID, &ctx->currentTemplateIdx) ) 609 | //if ( numArguments == 0x00000000 ) 610 | { 611 | uint8_t longID[16]; 612 | uint32_t templateBodyLen; 613 | ParseContext templateCtx; 614 | 615 | /* template definition follows */ 616 | if ( !ReadData(ctx, &longID[0], sizeof(longID)) ) 617 | return false; 618 | if ( !ReadData(ctx, &templateBodyLen) ) 619 | return false; 620 | // printf("Template body, len %08X\n", templateBodyLen); 621 | 622 | templateCtx.data = ctx->data + ctx->offset; 623 | templateCtx.dataLen = templateBodyLen; /* mm_min ... */ 624 | templateCtx.offset = 0; 625 | templateCtx.chunkContext = ctx; 626 | templateCtx.offsetFromChunkStart = ctx->offset + ctx->offsetFromChunkStart; 627 | templateCtx.cachedValue[0] = 0; 628 | 629 | RegisterID(shortID, &templateCtx.currentTemplateIdx); 630 | 631 | if ( !ParseBinXml(&templateCtx, 0) ) 632 | return false; 633 | 634 | SkipBytes(ctx, templateBodyLen); 635 | 636 | if ( !ReadData(ctx, &numArguments) ) 637 | return false; 638 | 639 | ctx->currentTemplateIdx = templateCtx.currentTemplateIdx; 640 | 641 | DumpTemplateContents(ctx, ctx->currentTemplateIdx); 642 | } 643 | 644 | // printf("Number of arguments: %08X\n", numArguments); 645 | 646 | for ( TemplateFixedPair* ptr = templates[ctx->currentTemplateIdx].fixedRoot.next; ptr != NULL; ptr = ptr->next ) 647 | { 648 | bool alreadyPrinted = false; 649 | 650 | if ( !strcmp(ptr->key, "EventID") ) 651 | { 652 | uint16_t eventID = strtoul(ptr->value, NULL, 10); 653 | if ( ( eventID != 0 ) && ( eventDescriptionHashTable[eventID] != NULL ) ) 654 | { 655 | printf("'%s':%u (%s), ", ptr->key, eventID, eventDescriptionHashTable[eventID]); 656 | alreadyPrinted = true; 657 | } 658 | } 659 | 660 | if ( !alreadyPrinted ) 661 | printf("'%s':'%s', ", ptr->key, ptr->value); 662 | } 663 | 664 | // printf("\n"); 665 | 666 | size_t argumentMapCount = numArguments * 2; 667 | uint16_t* argumentMap = (uint16_t*)malloc(sizeof(*argumentMap)*argumentMapCount); 668 | 669 | if ( !ReadData(ctx, argumentMap, argumentMapCount) ) 670 | { 671 | printf("Failed to read the arguments\n"); 672 | free(argumentMap); 673 | return false; 674 | } 675 | 676 | for (uint64_t argumentIdx = 0; argumentIdx < numArguments; argumentIdx++) 677 | { 678 | uint16_t argLen = argumentMap[argumentIdx*2]; 679 | uint16_t argType = argumentMap[argumentIdx*2 + 1]; 680 | TemplateArgPair* argPair = NULL; 681 | 682 | // printf("\n %08X : [%02X %02X %02X] Arg %" PRIX64" type %08X len %08X\n", 683 | // (uint32_t)ctx->offset, ctx->data[ctx->offset], ctx->data[ctx->offset+1], ctx->data[ctx->offset+2], 684 | // argumentIdx, argType, argLen); 685 | for ( TemplateArgPair* ptr = templates[ctx->currentTemplateIdx].argsRoot.next; ptr != NULL; ptr = ptr->next ) 686 | { 687 | if ( ptr->argIdx == argumentIdx ) 688 | { 689 | argPair = ptr; 690 | break; 691 | } 692 | } 693 | 694 | if ( argPair == NULL ) 695 | { 696 | // printf("Argument not found\n"); 697 | SkipBytes(ctx, argLen); 698 | } 699 | else 700 | { 701 | uint8_t v_b; 702 | uint16_t v_w; 703 | uint32_t v_d; 704 | uint64_t v_q; 705 | time_t unixTimestamp; 706 | struct tm localtm; 707 | struct tm* t; 708 | uint8_t sid[2+6]; 709 | EvtxGUID guid; 710 | char* stringBuffer; 711 | size_t stringNumUsed = 0; 712 | size_t stringSize = 0; 713 | 714 | switch(argType) 715 | { 716 | //// case 0x00: /* void */ 717 | //break; 718 | case 0x01: /* String */ 719 | stringSize = argLen*2+2; 720 | stringBuffer = (char*)malloc(stringSize); 721 | if ( stringBuffer == NULL ) 722 | return false; 723 | for (size_t idx = 0; idx < argLen/2; idx++) 724 | { 725 | if ( !ReadData(ctx, &v_w) ) 726 | return false; 727 | UTF16ToUTF8(v_w, stringBuffer, &stringNumUsed, stringSize); 728 | } 729 | if ( stringNumUsed >= stringSize ) 730 | stringNumUsed = stringSize - 1; 731 | stringBuffer[stringNumUsed] = 0; 732 | printf("'%s':'%s', ", argPair->key, stringBuffer); 733 | free(stringBuffer); 734 | break; 735 | case 0x04: /* uint8_t */ 736 | if ( !ReadData(ctx, &v_b) ) 737 | return false; 738 | printf("'%s':%02u, ", argPair->key, v_b); 739 | break; 740 | case 0x06: /* uint16_t */ 741 | if ( !ReadData(ctx, &v_w) ) 742 | return false; 743 | 744 | if ( !strcmp(argPair->key, "EventID") && ( eventDescriptionHashTable[v_w] != NULL )) 745 | printf("'%s':%04u (%s), ", argPair->key, v_w, eventDescriptionHashTable[v_w]); 746 | else 747 | printf("'%s':%04u, ", argPair->key, v_w); 748 | break; 749 | case 0x08: /* uint32_t */ 750 | if ( !ReadData(ctx, &v_d) ) 751 | return false; 752 | 753 | if ( !strcmp(argPair->key, "LogonType") && ( v_d <= 11 ) && ( logonTypes[v_d] != NULL )) 754 | printf("'%s':%08u (%s), ", argPair->key, v_d, logonTypes[v_d]); 755 | else 756 | printf("'%s':%08u, ", argPair->key, v_d); 757 | break; 758 | case 0x0A: /* uint64_t */ 759 | if ( !ReadData(ctx, &v_q) ) 760 | return false; 761 | printf("'%s':%016" PRIu64 ", ", argPair->key, v_q); 762 | break; 763 | case 0x0E: /* binary */ 764 | printf("'%s':", argPair->key); 765 | for (size_t idx = 0; idx < argLen; idx++) 766 | { 767 | if ( !ReadData(ctx, &v_b) ) 768 | return false; 769 | printf("%02X", v_b); 770 | } 771 | printf(", "); 772 | break; 773 | case 0x0F: /* GUID */ 774 | if ( !ReadData(ctx, &guid) ) 775 | return false; 776 | printf("'%s':%08X-%02X-%02X-%02X%02X%02X%02X%02X%02X%02X%02X, ", argPair->key, 777 | guid.d1, guid.w1, guid.w2, 778 | guid.b1[0], guid.b1[1], guid.b1[2], guid.b1[3], 779 | guid.b1[4], guid.b1[5], guid.b1[6], guid.b1[7]); 780 | break; 781 | case 0x14: /* HexInt32 */ 782 | if ( !ReadData(ctx, &v_d) ) 783 | return false; 784 | printf("'%s':%08" PRIX32", ", argPair->key, v_d); 785 | break; 786 | 787 | case 0x15: /* HexInt64 */ 788 | if ( !ReadData(ctx, &v_q) ) 789 | return false; 790 | printf("'%s':%016" PRIX64 ", ", argPair->key, v_q); 791 | break; 792 | case 0x11: /* FileTime */ 793 | if ( !ReadData(ctx, &v_q) ) 794 | return false; 795 | unixTimestamp = UnixTimeFromFileTime(v_q); 796 | t = gmtime_r(&unixTimestamp, &localtm); 797 | if ( t == NULL ) 798 | printf("'%s':%016" PRIX64 ", ", argPair->key, v_q); 799 | else 800 | printf("'%s':%04u.%02u.%02u-%02u:%02u:%02u, ", 801 | argPair->key, 802 | t->tm_year+1900, t->tm_mon+1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec); 803 | break; 804 | case 0x13: /* SID */ 805 | if ( argLen < sizeof(sid) ) 806 | return false; 807 | if ( !ReadData(ctx, sid, sizeof(sid)) ) 808 | return false; 809 | v_q = 0; 810 | for (size_t idx = 0; idx < 6; idx++) 811 | { 812 | v_q <<= 8; 813 | v_q |= sid[2+idx]; 814 | } 815 | printf("'%s':S-%u-%" PRIu64 "", argPair->key, sid[0], v_q); 816 | for (size_t idx = sizeof(sid); idx + 4 <= argLen; idx += 4) 817 | { 818 | if ( !ReadData(ctx, &v_d) ) 819 | return false; 820 | printf("-%u", v_d); 821 | } 822 | printf(", "); 823 | break; 824 | case 0x21: /* BinXml */ 825 | { 826 | ParseContext temporaryCtx(*ctx); 827 | temporaryCtx.dataLen = temporaryCtx.offset + argLen; 828 | if ( !ParseBinXml(&temporaryCtx, 0) ) 829 | ;//return false; 830 | // printf("=====<<<<< %08X\n", argLen); 831 | SkipBytes(ctx, argLen); 832 | } 833 | break; 834 | default: 835 | if ( argType != 0x00 ) 836 | printf("'%s':'...//%04X[%04X]', ", argPair->key, argPair->type, argLen); 837 | SkipBytes(ctx, argLen); 838 | break; 839 | } 840 | } 841 | 842 | totalArgLen += argLen; 843 | } 844 | 845 | free(argumentMap); 846 | 847 | return true; 848 | } 849 | 850 | 851 | static bool ParseOptionalSubstitution(ParseContext* ctx) 852 | { 853 | uint16_t substitutionID; 854 | uint8_t valueType; 855 | 856 | if ( !ReadData(ctx, &substitutionID) ) 857 | return false; 858 | if ( !ReadData(ctx, &valueType) ) 859 | return false; 860 | if ( valueType == 0x00 ) 861 | { 862 | if ( !ReadData(ctx, &valueType) ) 863 | return false; 864 | } 865 | 866 | // printf("******* %s=<> ", GetName(), substitutionID, valueType); 867 | RegisterArgPair(ctx->currentTemplateIdx, GetProperKeyName(ctx), valueType, substitutionID); 868 | SetState(ctx, StateNormal); 869 | 870 | return true; 871 | } 872 | 873 | static bool ParseBinXmlPre(const uint8_t* data, size_t dataLen, size_t inFileOffset, size_t inChunkOffset) 874 | { 875 | ParseContext ctx; 876 | 877 | ctx.data = data; 878 | ctx.dataLen = dataLen; 879 | ctx.offset = inChunkOffset; 880 | ctx.currentTemplateIdx = INVALID_TEMPLATE_IDX; 881 | ctx.chunkContext = &ctx; 882 | ctx.offsetFromChunkStart = 0; 883 | ctx.cachedValue[0] = 0; 884 | 885 | return ParseBinXml(&ctx, inFileOffset); 886 | } 887 | 888 | static bool ParseBinXml(ParseContext* ctx, size_t inFileOffset) 889 | { 890 | bool result = true; 891 | 892 | ctx->state = StateNormal; 893 | 894 | // printf("ParseBinXml(%08X, %08X)\n", (uint32_t)ctx->offset, (uint32_t)ctx->dataLen); 895 | 896 | while ( result && ( ctx->offset < ctx->dataLen ) ) 897 | { 898 | uint8_t tag = ctx->data[ctx->offset++]; 899 | 900 | // printf("%08zX: %02X ", inFileOffset + ctx->offset, tag); 901 | // fflush(stdout); 902 | // printf("%08zX: %02X %02X %02X", inFileOffset + ctx->offset, tag, ctx->data[ctx->offset], ctx->data[ctx->offset+1]); 903 | 904 | switch(tag) 905 | { 906 | case 0x00: /* EOF */ 907 | ctx->offset = ctx->dataLen; 908 | break; 909 | case 0x01: /* OpenStartElementToken */ 910 | result = ParseOpenStartElement(ctx, false); 911 | break; 912 | case 0x41: 913 | result = ParseOpenStartElement(ctx, true); 914 | break; 915 | case 0x02: /* CloseStartElementToken */ 916 | result = ParseCloseStartElement(ctx); 917 | break; 918 | case 0x03: /* CloseEmptyElementToken */ 919 | case 0x04: /* CloseElementToken */ 920 | result = ParseCloseElement(ctx); 921 | break; 922 | case 0x05: /* ValueTextToken */ 923 | case 0x45: 924 | result = ParseValueText(ctx); 925 | break; 926 | case 0x06: /* AttributeToken */ 927 | case 0x46: 928 | result = ParseAttributes(ctx); 929 | break; 930 | case 0x07: /* CDATASectionToken */ 931 | case 0x47: 932 | break; 933 | case 0x08: /* CharRefToken */ 934 | case 0x48: 935 | break; 936 | case 0x09: /* EntityRefToken */ 937 | case 0x49: 938 | break; 939 | case 0x0A: /* PITargetToken */ 940 | break; 941 | case 0x0B: /* PIDataToken */ 942 | break; 943 | case 0x0C: /* TemplateInstanceToken */ 944 | result = ParseTemplateInstance(ctx); 945 | break; 946 | case 0x0D: /* NormalSubstitutionToken */ 947 | case 0x0E: /* OptionalSubstitutionToken */ 948 | result = ParseOptionalSubstitution(ctx); 949 | break; 950 | case 0x0F: /* FragmentHeaderToken */ 951 | SkipBytes(ctx, 3); 952 | break; 953 | 954 | default: 955 | result = false; 956 | break; 957 | } 958 | 959 | // printf("\n"); 960 | } 961 | 962 | return result; 963 | } 964 | 965 | static bool ParseEVTXInt(int f) 966 | { 967 | EvtxHeader header; 968 | uint64_t off = 0; 969 | uint8_t* chunk; 970 | bool result = true; 971 | 972 | if ( read(f, &header, sizeof(header)) != sizeof(header) ) 973 | return false; 974 | if ( header.version != 0x00030001) 975 | return false; 976 | 977 | #ifdef PRINT_TAGS 978 | printf("Number of chunks: %" PRIu64 " %" PRIu64 " header sz %zu\n", header.numberOfChunksAllocated, header.numberOfChunksUsed, sizeof(header)); 979 | #endif 980 | 981 | off = sizeof(header); 982 | 983 | chunk = (uint8_t*)malloc(EVTX_CHUNK_SIZE); 984 | if ( chunk == NULL ) 985 | return false; 986 | 987 | while ( result ) 988 | { 989 | EvtxChunkHeader* chunkHeader = (EvtxChunkHeader*)chunk; 990 | uint64_t inRecordOff; 991 | 992 | ResetTemplates(); 993 | 994 | if ( lseek(f, off, SEEK_SET) != off ) 995 | { 996 | result = false; 997 | break; 998 | } 999 | if ( read(f, chunk, EVTX_CHUNK_SIZE) != EVTX_CHUNK_SIZE ) 1000 | break; 1001 | 1002 | if ( memcmp(chunkHeader->magic, EVTX_CHUNK_HEADER_MAGIC, sizeof(EVTX_CHUNK_HEADER_MAGIC)) ) 1003 | { 1004 | // result = false; 1005 | break; 1006 | } 1007 | 1008 | // printf("Chunk %" PRIu64 " .. %" PRIu64 "\n", chunkHeader->firstRecordNumber, chunkHeader->lastRecordNumber); 1009 | 1010 | inRecordOff = sizeof(*chunkHeader); 1011 | 1012 | while ( result ) 1013 | { 1014 | EvtxRecordHeader* recordHeader = (EvtxRecordHeader*)(chunk + inRecordOff); 1015 | time_t unixTimestamp; 1016 | struct tm localtm; 1017 | struct tm* t; 1018 | 1019 | if ( inRecordOff + sizeof(*recordHeader) > EVTX_CHUNK_SIZE ) 1020 | break; 1021 | 1022 | if ( recordHeader->magic != 0x00002a2a ) 1023 | { 1024 | #ifdef PRINT_TAGS 1025 | printf("Record header mismatch at %08X\n", (uint32_t)(off + inRecordOff)); 1026 | #endif 1027 | break; 1028 | } 1029 | 1030 | unixTimestamp = UnixTimeFromFileTime(recordHeader->timestamp); 1031 | t = gmtime_r(&unixTimestamp, &localtm); 1032 | if ( t == NULL ) 1033 | { 1034 | result = false; 1035 | break; 1036 | } 1037 | 1038 | // printf("%" PRIX64 ": Record %" PRIu64 " %04u.%02u.%02u-%02u:%02u:%02u ", inRecordOff, recordHeader->number, t->tm_year+1900, t->tm_mon+1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec); 1039 | printf("Record #%" PRIu64 " %04u.%02u.%02u-%02u:%02u:%02u ", recordHeader->number, t->tm_year+1900, t->tm_mon+1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec); 1040 | 1041 | if ( !ParseBinXmlPre(chunk, 1042 | EVTX_CHUNK_SIZE, 1043 | off + inRecordOff + sizeof(*recordHeader), 1044 | inRecordOff + sizeof(*recordHeader) ) ) 1045 | { 1046 | if ( recordHeader->number >= chunkHeader->firstRecordNumber && 1047 | recordHeader->number <= chunkHeader->lastRecordNumber ) 1048 | { 1049 | result = false; 1050 | } 1051 | break; 1052 | } 1053 | printf("\n"); 1054 | 1055 | inRecordOff += recordHeader->size; 1056 | } 1057 | 1058 | off += EVTX_CHUNK_SIZE; 1059 | 1060 | if ( inRecordOff > off ) 1061 | { 1062 | result = false; 1063 | break; 1064 | } 1065 | } 1066 | 1067 | return result; 1068 | } 1069 | 1070 | static bool ParseEVTX(const char* fileName) 1071 | { 1072 | bool result; 1073 | int f = open(fileName, O_RDONLY|O_BINARY); 1074 | if ( f < 0 ) 1075 | return false; 1076 | 1077 | result = ParseEVTXInt(f); 1078 | if ( !result ) 1079 | printf("Failed on %s\n", fileName); 1080 | close(f); 1081 | return result; 1082 | } 1083 | 1084 | static void InitEventDescriptions(void) 1085 | { 1086 | for (size_t idx = 0; idx < sizeof(eventDescriptions)/sizeof(eventDescriptions[0]); idx++) 1087 | { 1088 | char* nptr = NULL; 1089 | uint16_t eventID = strtoul(eventDescriptions[idx], &nptr, 10); 1090 | if ( ( nptr == NULL ) || ( eventID == 0 ) ) 1091 | continue; 1092 | while (*nptr != ')' && *nptr != 0) 1093 | nptr++; 1094 | while (*nptr == ' ' || *nptr == ')') 1095 | nptr++; 1096 | // printf("%04u - %s\n", eventID, nptr); 1097 | eventDescriptionHashTable[eventID] = nptr; 1098 | } 1099 | } 1100 | 1101 | #ifdef _WIN32 1102 | 1103 | #ifndef __MINGW64_VERSION_MAJOR 1104 | 1105 | extern "C" 1106 | { 1107 | BOOL (WINAPI *Wow64DisableWow64FsRedirection)( 1108 | PVOID *OldValue 1109 | ) = (BOOL(WINAPI*)(PVOID*))GetProcAddress(GetModuleHandle(L"KERNEL32.DLL"), "Wow64DisableWow64FsRedirection"); 1110 | 1111 | BOOL (WINAPI * Wow64RevertWow64FsRedirection)( 1112 | PVOID OldValue ) 1113 | = (BOOL(WINAPI*)(PVOID))GetProcAddress(GetModuleHandle(L"KERNEL32.DLL"), "Wow64RevertWow64FsRedirection"); 1114 | } 1115 | 1116 | #endif 1117 | 1118 | #endif 1119 | 1120 | 1121 | int main(int argc, char* argv[]) 1122 | { 1123 | void* redir; 1124 | 1125 | #ifdef _WIN32 1126 | if (Wow64DisableWow64FsRedirection != NULL ) 1127 | Wow64DisableWow64FsRedirection(&redir); 1128 | #endif 1129 | 1130 | eventDescriptionHashTable = (const char**)malloc(sizeof(const char*) * 65536 ); 1131 | memset(eventDescriptionHashTable, 0, sizeof(const char*)*65536); 1132 | InitTemplates(); 1133 | InitEventDescriptions(); 1134 | for (int idx = 1; idx < argc; idx++) 1135 | ParseEVTX(argv[idx]); 1136 | free(eventDescriptionHashTable); 1137 | 1138 | #ifdef _WIN32 1139 | if (Wow64RevertWow64FsRedirection != NULL) 1140 | Wow64RevertWow64FsRedirection(redir); 1141 | #endif 1142 | 1143 | return 0; 1144 | } 1145 | 1146 | -------------------------------------------------------------------------------- /SOURCES/tools/wintime.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Filename: wintime.h 3 | * Author: Igor Soumenkov , igosha@kaspersky.com, Kaspersky Lab 4 | * Description: Utility for converting windows timestamps in unix timestamps 5 | */ 6 | 7 | #ifndef wintime_h_included 8 | #define wintime_h_included 9 | 10 | #include 11 | #include 12 | 13 | // SystemTimeToVariantTime 14 | 15 | static uint64_t UnixTimeFromFileTime(uint64_t fileTime) 16 | { 17 | return ( fileTime - 11644473600000ULL * 10000) / 10000000; 18 | } 19 | 20 | #endif 21 | 22 | -------------------------------------------------------------------------------- /SOURCES/utils/igmacro.h: -------------------------------------------------------------------------------- 1 | #ifndef igmacro_h_included 2 | #define igmacro_h_included 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | 9 | #if !defined(__FreeBSD__) && !defined(__APPLE__) 10 | 11 | #if defined(_WIN32) 12 | #include 13 | 14 | #endif 15 | 16 | static void srandomdev(void) 17 | { 18 | #ifdef __linux__ 19 | srandom(time(NULL)); 20 | #else 21 | srand(time(NULL)); 22 | #endif 23 | } 24 | 25 | #ifndef __linux__ 26 | static long random(void) 27 | { 28 | return rand(); 29 | } 30 | #endif 31 | 32 | #endif 33 | 34 | #ifndef _WIN32 35 | #define STATIC_INLINE static inline 36 | #else 37 | #define STATIC_INLINE 38 | #endif 39 | 40 | #define NORETURN __attribute__((noreturn)) 41 | 42 | #define ZERO_STRUCT(str) memset(&str, 0, sizeof(str)) 43 | 44 | #define MACRO_FUNC(return_type, name) STATIC_INLINE return_type name 45 | #define PRIVATE_FUNC(return_type, name) static return_type name 46 | 47 | #define PUBLIC_FUNC(return_type, name) return_type name 48 | 49 | #define PUBLIC_METHOD(type_name, return_type, name, ...) return_type name (const void* pvThis, __VA_ARGS__) 50 | #define PUBLIC_METHOD_NOPARAMS(type_name, return_type, name) return_type name (const void* pvThis) 51 | 52 | #define PUBLIC_METHOD_START(type_name) type_name *This = (type_name*)pvThis; (void)This; 53 | 54 | #ifndef NDEBUG 55 | #define DEBUG_PRINTF(...) printf(__VA_ARGS__) 56 | #define ASSERT_INT_EQ(expr, value) { int iExpr = expr; assert(iExpr == value); } 57 | #define ASSERT_BOOL(expr) { int iExpr = expr; assert(iExpr); } 58 | 59 | #else 60 | #define DEBUG_PRINTF(...) 61 | #define ASSERT_INT_EQ(expr, value) (void)expr 62 | #define ASSERT_BOOL(expr) (void)expr 63 | #endif 64 | 65 | enum 66 | { 67 | eLOOP_NEXT = 1, 68 | eLOOP_STOP = 2, 69 | eLOOP_OK = 3 70 | }; 71 | 72 | #define LOOP_MACRO_FUNC(name) static inline int name 73 | #define LOOP_NEXT() return eLOOP_NEXT 74 | #define LOOP_STOP() return eLOOP_STOP 75 | #define LOOP_OK() return eLOOP_OK 76 | 77 | #define INVOKE_LOOP_MACRO_FUNC(name, ...) \ 78 | {\ 79 | int iRet = name(__VA_ARGS__);\ 80 | if (iRet == eLOOP_NEXT)\ 81 | continue;\ 82 | else if (iRet == eLOOP_STOP)\ 83 | break;\ 84 | } 85 | 86 | 87 | #ifdef __cplusplus 88 | 89 | #define EXTERN_C_BEGIN extern "C" { 90 | #define EXTERN_C_END } 91 | 92 | #else /* #ifdef __cplusplus */ 93 | 94 | #define EXTERN_C_BEGIN 95 | #define EXTERN_C_END 96 | 97 | #endif 98 | 99 | #ifndef GCC_PACKED 100 | #ifndef _MSC_VER 101 | #define GCC_PACKED __attribute__((__packed__, aligned(1))) 102 | #else 103 | #define GCC_PACKED 104 | #endif 105 | #endif 106 | 107 | #define ARRAY_COUNT(arr) ( sizeof(arr) / sizeof(arr[0]) ) 108 | 109 | #endif 110 | 111 | -------------------------------------------------------------------------------- /SOURCES/utils/win_types.h: -------------------------------------------------------------------------------- 1 | #ifndef win_types_h_included 2 | #define win_types_h_included 3 | 4 | #define _CRT_SECURE_NO_WARNINGS 1 5 | #define _CRT_NONSTDC_NO_DEPRECATE 1 6 | 7 | 8 | #ifdef _WIN32 9 | #define DLLEXPORT __declspec(dllexport) 10 | #else 11 | #define DLLEXPORT 12 | #endif 13 | 14 | #include "igmacro.h" 15 | 16 | #ifdef _WIN32 17 | 18 | #include 19 | #include 20 | // #include 21 | #include 22 | 23 | #ifdef _MSC_VER 24 | typedef unsigned __int64 uint64_t; 25 | typedef __int64 int64_t; 26 | typedef signed int int32_t; 27 | typedef DWORD uint32_t; 28 | typedef WORD uint16_t; 29 | typedef BYTE uint8_t; 30 | #else 31 | #include 32 | #endif 33 | 34 | EXTERN_C_BEGIN 35 | extern char *optarg; /* argument associated with option */ 36 | EXTERN_C_END 37 | 38 | typedef int socklen_t; 39 | typedef uint16_t in_port_t; 40 | typedef uint32_t in_addr_t; 41 | 42 | #define random rand 43 | #define strncasecmp _strnicmp 44 | 45 | // #ifndef GCC_PACKED 46 | // #define GCC_PACKED 47 | // #endif 48 | 49 | #ifndef __MINGW64_VERSION_MAJOR 50 | #define snprintf _snprintf 51 | #endif 52 | 53 | #define ioctl ioctlsocket 54 | 55 | #define sleep(x) Sleep(x*1000) 56 | 57 | EXTERN_C_BEGIN 58 | int getopt(int nargc, char * const nargv[], const char* ostr); 59 | EXTERN_C_END 60 | 61 | #if defined (_MSC_VER) 62 | 63 | #define asm __asm 64 | #define strdup _strdup 65 | /*#define open _open 66 | #define read _read 67 | #define close _close*/ 68 | #define isnan _isnan 69 | 70 | #include 71 | #include 72 | 73 | static int isinf(double value) 74 | { 75 | return !isnan(value) && isnan(value - value); 76 | } 77 | 78 | static int signbit(double value) 79 | { 80 | return ( _copysign(1.0, value) < 0.0 ? 1 : 0 ); 81 | } 82 | 83 | #endif 84 | 85 | #else 86 | 87 | #include 88 | #include 89 | 90 | typedef uint64_t ULONGLONG; 91 | typedef uint32_t DWORD; 92 | typedef uint16_t WORD; 93 | typedef uint8_t BYTE; 94 | 95 | #define O_BINARY 0 96 | // #define GCC_PACKED __attribute__((__packed__)) 97 | #define closesocket close 98 | 99 | #define MAX_PATH 260 100 | 101 | #endif 102 | 103 | #ifdef _WIN32 104 | /*- 105 | * Copyright (c) 2009 David Schultz 106 | * All rights reserved. 107 | * 108 | * Redistribution and use in source and binary forms, with or without 109 | * modification, are permitted provided that the following conditions 110 | * are met: 111 | * 1. Redistributions of source code must retain the above copyright 112 | * notice, this list of conditions and the following disclaimer. 113 | * 2. Redistributions in binary form must reproduce the above copyright 114 | * notice, this list of conditions and the following disclaimer in the 115 | * documentation and/or other materials provided with the distribution. 116 | * 117 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 118 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 119 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 120 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 121 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 122 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 123 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 124 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 125 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 126 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 127 | * SUCH DAMAGE. 128 | */ 129 | 130 | #ifndef __MINGW64_VERSION_MAJOR 131 | #include 132 | 133 | static size_t 134 | strnlen(const char *s, size_t maxlen) 135 | { 136 | size_t len; 137 | 138 | for (len = 0; len < maxlen; len++, s++) { 139 | if (!*s) 140 | break; 141 | } 142 | return (len); 143 | } 144 | 145 | #endif 146 | 147 | #endif 148 | 149 | #endif 150 | 151 | --------------------------------------------------------------------------------